From 7ba306cfe6160d9ae63322747deeb2f8308a9bae Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 21 Feb 2023 10:09:32 -0600
Subject: [PATCH 01/14] Add tinkerbell CRD refactor design

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/14_tinkerbell_crd_refactor/proposal.md | 462 ++++++++++++++++++
 .../workflow_state.puml                       |  13 +
 .../workflow_state_machine.png                | Bin 0 -> 14834 bytes
 3 files changed, 475 insertions(+)
 create mode 100644 design/14_tinkerbell_crd_refactor/proposal.md
 create mode 100644 design/14_tinkerbell_crd_refactor/workflow_state.puml
 create mode 100644 design/14_tinkerbell_crd_refactor/workflow_state_machine.png

diff --git a/design/14_tinkerbell_crd_refactor/proposal.md b/design/14_tinkerbell_crd_refactor/proposal.md
new file mode 100644
index 0000000..0f0ddbb
--- /dev/null
+++ b/design/14_tinkerbell_crd_refactor/proposal.md
@@ -0,0 +1,462 @@
+# Tink CRD Refactor
+
+## Table of contents
+
+- [Tink CRD Refactor](#tink-crd-refactor)
+  - [Table of contents](#table-of-contents)
+  - [Overview](#overview)
+  - [Context](#context)
+  - [Goals/Non-goals](#goalsnon-goals)
+  - [Proposal](#proposal)
+    - [Custom Resource Definitions](#custom-resource-definitions)
+      - [`Hardware`](#hardware)
+      - [`OSIE`](#osie)
+      - [`Template`](#template)
+      - [`Workflow`](#workflow)
+    - [Workflow state transition](#workflow-state-transition)
+    - [Webhooks](#webhooks)
+    - [Data and functions available during template rendering](#data-and-functions-available-during-template-rendering)
+    - [Hegel Changes](#hegel-changes)
+  - [Migrating from v1alpha1 to v1alpha2](#migrating-from-v1alpha1-to-v1alpha2)
+  - [Rationale](#rationale)
+    - [Comparison with existing resources](#comparison-with-existing-resources)
+  - [Implementation Plan](#implementation-plan)
+  - [Future Work](#future-work)
+
+## Overview
+
+Tinkerbell's backend is rooted in 3 Custom Resource Definitions (CRDs): Hardware, Workflow and Template. The CRDs were developed as part of the KRM proposal that introduced a Kubernetes backend option to the Tinkerbell stack and mirrored the Postgres database schema (now deprecated and removed). As the CRDs were a reflection of the Postgres schema, they inherited the schemas flaws. This proposal attempts to remediate the flaws by refactoring the CRDs.
+
+## Context
+
+When users interact with Tinkerbell the primary interface is `kubectl` and Tinkerbell's CRDs: Hardware, Workflow and Template. The CRDs are hard to understand because they contain duplicate fields, obsolete fields, unclear semantics and, consequently, unclear system behavior expectations.
+
+Some specific issues with the CRDs are summarized as:
+
+**Hardware**
+
+1. Network information is specified in both `.Spec.Interfaces` and `.Spec.Metadata.Instance.Ips`. Only `.Spec.Interfaces` is used.
+1. Disk information is specified in both `.Spec.Disks` and `.Spec.Metadata.Instance.Storage`. `.Spec.Metadata.Instance.Storage` is unused.
+1. Userdata can be specified in both `.Spec.UserData` and `.Spec.Instance.Userdata`. `.Spec.Instance.Userdata` is unused.
+1. `.Spec.TinkVersion` has no functional use.
+1. `.Spec.Resources` was intended for use in CAPT as part of its Hardware selection algorithm but is yet to be implemented.
+1. `.Spec.Interfaces[].Netboot.{AllowPXE,AllowWorkflow}` and `.Spec.Metadata.Instance.AlwaysPxe` are seemingly related but reside on different objects and how they impact eachother is unclear.
+1. `.Spec.Metadata.Custom` defines specific fields that are related to other parts of Hardware.
+1. `.Status.State`, `.Spec.Metadata.Instance.State` and `.Spec.Metadata.State` have unclear semantics. The `.Spec` state fields impact the machine provisioning process but nothing in the core Tinkerbell stack sets their values. `.Status.State` is unused.
+
+**Template**
+
+1. Template defines a single field, `.Spec.Data`. The format of `.Spec.Data` is entirely ambiguous requiring the user to understand implementation detail. In summary, `.Spec.Data` is composed of a list of tasks that can run on different machines; a task is composed of a list of actions that perform a function such as streaming a raw image. The multi-machine capability has no known use-cases.
+1. The Template objects `.Status` field is unused.
+
+**Workflow**
+
+1. The `.Spec.HardwareMap` historically defines a template value used to render a tasks `WorkerAddr`. The `WorkerAddr` should be the MAC of the machine that should run the task. This creates a hard to understand relationship between Workflow and Template that users must understand to successfully execute Workflows.
+1. The `.Spec.GlobalTimeout` is unused and its origin is unclear (status fields are typically populated by Kubernetes controllers to build understanding of the current object state).
+1. Actions leverage the `WorkflowState` type that is intended to describe the overall state of the Workflow.
+
+Users resort to Q&A in the Tinkerbell Slack to determine what fields are required and how tweaking them impacts the system. The CRDs should be simple enough and sufficiently documented to aid users in understanding how they can manipulate the system.
+
+## Goals/Non-goals
+
+**Goals**
+
+- To de-duplicate Tink custom resource definition fields and data structures.
+- To provide clear behavioral expectations when manipulating custom resources.
+- To remove obsolete fields and data structures.
+
+**Non-goals**
+
+- To change the existing relationship between Tink and Rufio.
+- To introduce additional object status data typically found on the `.Status` field.
+- To support new technologies such as IPv6.
+
+## Proposal
+
+### Custom Resource Definitions
+
+The new set of CRDs will be defined as part of a `v1alpha2` API.
+
+#### `Hardware`
+
+```go
+// Hardware is a logical representation of a machine that can execute Workflows.
+type Hardware struct {
+	HardwareSpec
+}
+
+type HardwareSpec struct {
+	// NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface.
+	// It is necessary to specify at least one NetworkInterface.
+	NetworkInterfaces NetworkInterfaces
+
+	// IPXE provides iPXE script override fields.
+	// Optional.
+	IPXE IPXE
+
+	// OSIE describes the Operating System Installation Environment to be netbooted.
+	OSIE OSIE
+
+	// Instance describes instance specific data that is generally unused by Tinkerbell core.
+	Instance Instance
+
+	// StorageDevices is a list of storage devices that will be available in the OSIE.
+	// Optional.
+	StorageDevices []StorageDevice
+
+	// BMCRef references a Rufio Machine object. It exists in the current API and will not be changed
+	// with this proposal.
+	BMCRef LocalObjectReference
+}
+
+// NetworkInterface is the desired configuration for a particular network interface.
+type NetworkInterface struct {
+	// DHCP is the basic network information for serving DHCP requests.
+	DHCP DHCP
+
+	// DisableDHCP disables DHCP for this interface. Implies DisableNetboot.
+	// Default false.
+	DisableDHCP bool
+
+	// DisableNetboot disables netbooting for this interface. The interface will still receive
+	// network information speified on by DHCP.
+	// Default false.
+	DisableNetboot bool
+}
+
+// DHCP describes basic network configuration to be served in DHCP offers.
+type DHCP struct {
+	IP      string
+	Netmask string
+
+	// Optional.
+	Gateway string
+
+	// Optional.
+	Hostname string
+
+	// Optional.
+	VLANID int
+
+	// Optional.
+	Nameservers []string
+
+	// Optional.
+	Timeservers []string
+
+	// Defaults to max allowed DHCP lease time.
+	LeaseTime int32
+}
+
+// OSIE describes an OSIE to be used with a Hardware. The environment data
+// is dependent on the OSIE being used and should be updated with the OSIE reference object.
+type Netboot struct {
+	// OSIERef is a reference to an OSIE object.
+	OSIERef LocalObjectReference
+
+	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
+	// space.
+	// Optional.
+	KernelParams []KernelParam
+}
+
+type IPXE struct {
+	// Inline is an inline iPXE script that will be served as specified on this property.
+	Inline *string
+
+	// URL is a URL to an hosted iPXE script.
+	URL *string
+}
+
+// Instance describes instance specific data. Instance specific data is typically dependent on the
+// permanent OS that a piece of hardware runs. This data is often served by an instance metadata
+// service such as Tinkerbell's Hegel. The core Tinkerbell stack does not leverage this data.
+type Instance struct {
+	// Userdata is data with a structure understood by the producer and consumer of the data.
+	Userdata string
+
+	// Vendordata is data with a structure understood by the producer and consumer of the data.
+	Vendordata string
+}
+
+// NetworkInterfaces maps a MAC address to a NetworkInterface.
+type NetworkInterfaces map[MAC]NetworkInterface
+
+// MAC is a Media Access Control address.
+type MAC string
+
+// StorageDevice describes a storage device path that will be present in the OSIE.
+type StorageDevice string
+
+// KernelParam defines an atomic kernel parameter that will be passed to the OSIE.
+type KernelParam string
+```
+
+#### `OSIE`
+
+`OSIE` is a new CRD. It exists to ensure OSIE URLs can be re-used and easily updated across `Hardware` instances.
+
+```go
+// OSIE describes and Operating System Initialization Environment. It is used by Tinkerbell
+// to provision machines and should launch the Tink Worker component.
+type OSIE struct {
+	Spec OSIESpec
+}
+
+type OSIESpec struct {
+	// KernelURL is a URL to a kernel image.
+	KernelURL string
+
+	// InitrdURL is a URL to an initrd image.
+	InitrdURL string
+}
+```
+
+#### `Template`
+
+```go
+// Template defines a set of actions to be run on a target machine. The template is rendered
+// prior to execution where it is exposed to Hardware and user defined data. All fields within
+// TemplateSpec may contain template values. See https://pkg.go.dev/text/template for more details.
+type Template struct {
+	Spec TemplateSpec
+}
+
+type TemplateSpec struct {
+	// Actions defines the set of actions to be run on a target machine. Actions are run sequentially
+	// in the order they are specified. At least 1 action must be specified. Names of actions
+	// must be unique within a Template.
+	Actions []Action
+
+	// Volumes to be mounted on all actions. If an action specifies the same volume it will take
+	// precedence.
+	// Optional.
+	Volumes []Volume
+
+	// Env defines environment variables to be available in all actions. If an action specifies
+	// the same environment variable it will take precedence.
+	// Optional.
+	Env map[string]string
+}
+
+// Action defines an individual action to be run on a target machine.
+type Action struct {
+	// Name is a unique name for the action.
+	Name ActionName
+
+	// Image is an OCI image.
+	Image string
+
+	// Command defines the command to use when launching the image.
+	// Optional.
+	Command string
+
+	// Args are a set of arguments to be passed to the container on launch.
+	Args []string
+
+	// Env defines environment variables used when launching the container.
+	// Optional.
+	Env map[string]string
+
+		// Volumes defines the volumes to mount into the container.
+	// Optional.
+	Volumes []Volume
+
+	// NetworkNamespace defines the network namespace to run the container in. This enables access 
+	// to the host network namespace.
+	// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
+	NetworkNamespace string
+}
+
+// Volume is a specification for mounting a volume in an action. Volumes take the form
+// {SRC-VOLUME-NAME | SRC-HOST-DIR}:TGT-CONTAINER-DIR:OPTIONS. When specifying a VOLUME-NAME that 
+// does not exist it will be created for you.
+//
+// Examples
+//
+// Read-only bind mount bound to /data
+//   /etc/data:/data:ro
+//
+// Writable volume name bound to /data
+//   shared_volume:/data
+//
+// See https://docs.docker.com/storage/volumes/ for additional details
+type Volume string
+
+// ActionName is unique name within the context of a workflow.
+type ActionName string
+```
+
+#### `Workflow`
+
+```go
+// Workflow describes a set of actions to be run on a specific Hardware. Workflows execute
+// once and should be considered ephemeral.
+type Workflow struct {
+	Spec   WorkflowSpec
+	Status WorkflowStatus
+}
+
+type WorkflowSpec struct {
+	// HardwareRef is a reference to a Hardware resource this workflow will execute on.
+	// If no namespace is specified the Workflow's namespace is assumed.
+	HardwareRef LocalObjectReference
+
+	// TemplateRef is a reference to a Template resource used to render workflow actions.
+	// If no namespace is specified the Workflow's namespace is assumed.
+	TemplateRef LocalObjectReference
+
+	// TemplateData is user defined data that is injected during template rendering. The data
+	// structure should be marshalable.
+	// Optional.
+	TemplateData map[string]any
+
+	// Timeout defines the time the workflow has to complete. The timer begins when the first action
+	// is requested. When set to 0, no timeout is applied.
+	// Default 0.
+	Timeout int32
+}
+
+type WorkflowStatus struct {
+	// Actions is the list of rendered actions and their status.
+	Actions RenderedActions
+
+	// StartedAt is the time the first action was requested. Nil indicates the workflow has not
+	// started.
+	StartedAt *metav1.Time
+
+	// State describes the current state of the workflow. This fields represents a summation of
+	// action states. Specifically, if all actions succeeded, the workflow will succeed. If one
+	// action fails, the workflow fails irrespective of previous action status'.
+	State State
+
+	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
+	// It is propogated from the failed action.
+	Reason Reason
+}
+
+// RenderedActions is a map of action name to RenderedAction.
+type RenderedActions map[ActionName]ActionStatus
+
+// ActionStatus describes status information about an action.
+type ActionStatus struct {
+	// Rendered is the rendered action.
+	Rendered Action
+
+	// StartedAt is the time the action was requested. Nil indicates the action has not started.
+	StartedAt *metav1.Time
+
+	// State describes the current state of the action.
+	State State
+
+	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
+	Reason Reason
+
+	// Message is a freeform user friendly message describing the specific issue that caused the
+	// failure. It is only relevant when Result is ResultFailed.
+	Message string
+}
+
+// State describes the point in time state of a workflow or action.
+type State string
+
+const (
+	StatePending   State = "Pending"
+	StateRunning   State = "Running"
+	StateSucceeded State = "Succeeded"
+	StateFailed    State = "Failed"
+)
+
+// Reason is a one-word TitleCase string indicating why a failure occurred. It is not restricted
+// to the values defined with this API.
+type Reason string
+
+const (
+	ReasonUnknown Reason = "Unknown"
+	ReasonTimeout Reason = "Timeout"
+)
+```
+
+### Workflow state transition
+
+![Workflow state transitions](https://raw.githubusercontent.com/tinkerbell/roadmap/b7b2362997c01ffa52758e10259b8f55e81f7447/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
+
+Actions follow a similar state transition model.
+
+### Webhooks
+
+We will introduce a set of basic webhooks for validating each CRD. The webhooks will only validate the `v1alpha2` API version. They will be implemented as part of the `tink-controller` component.
+
+### Data and functions available during template rendering
+
+Templates will have access to a subset of `Hardware` data when they are rendered. Injecting `Hardware` data was outlined in a [previous proposal](https://github.com/tinkerbell/proposals/tree/e24b19a628c6b1ecaafd566667155ca5d6fd6f70/proposals/0028). The existing implementation only injects disk that will, based on this proposal, be sources from the `.Hardware.StorageDevices` list.
+
+The previous proposal did not outline a set of custom functions injected into templates. The custom functions are detailed in [`template_funcs.go`](https://github.com/tinkerbell/tink/blob/main/internal/workflow/template_funcs.go) and include:
+
+* `contains`: determine if a string contains a substring.
+* `hasPrefix`: determine if a string has a prefix.
+* `hasSuffix`: determine if a string has a suffix.
+* `formatPartition`: formats a string representing a device path with a specific partition. For example, `{{ formatPartition "/dev/sda" 1 }}` will result in `/dev/sda1`.
+
+These functions will continue to be available during template rendering.
+
+### Hegel Changes
+
+Hegel will undergo a reduction in the endpoints it serves because the data is no longer available in the `Hardware` resource. Minimally, Hegel will serve the following endpoints:
+
+* `/2009-04-04/meta-data/instance-id`
+* `/2009-04-04/user-data`
+
+## Migrating from v1alpha1 to v1alpha2
+
+Given the relative immaturity of the Tinkerbell API we will not provide any migration tooling from `v1alpha1` to `v1alpha2`. Users will be required to manually convert `Hardware` and `Template` resources. `Workflow` resources are considered ephemeral and can generally be deleted.
+
+## Rationale
+
+### Comparison with existing resources
+
+**Hardware**
+
+The features available to toggle DHCP behavior have been reduced to 2 options specified on the `NetworkInterface` data structure: `DisableNetboot` and `DisableDHCP`. This is in contrast to the existing `Hardware` that defines 4 different properties across various data structures including the `State` fields that require specific, undocumented string values to alter behavior.
+
+We rationalized that a machine can only boot a single OSIE at a time because operators do not regularly change the OSIE they want to use, and that there are weak use-cases for multi-OSIE support. Consequently, the ability to support different OSIEs per network interface has been removed in favor of supporting a single OSIE definition.
+
+Numerous fields served by Hegel have been removed with only the fields necessary for honoring cloud-init remaining under the `Instance` field. This significantly reduces the data available for Hegel to serve and _will_ break some Tinkerbell maintained actions that leverage Hegel data to configure disks. A separate proposal will address user defined metadata and how Hegel will serve that data.
+
+**Template**
+
+Templates are explicitly defined as part of the CRD in contrast to the free-form string that required a specific, largely undocumented, format in the existing definition. This will signficantly improve the user experience as it establishes clear expectations and feature support.
+
+[Tasks](https://github.com/tinkerbell/tink/blob/main/internal/workflow/types.go#L13) used for multi-worker workflows have been removed. Multi-worker workflows have been unsupported since the transition to the Kubernetes backend. This, subsequently, removes the need to specify device IDs (device IDs are specified on the `Workflow`) when rendering templates simplifying the `Workflow` and `Template` relationship.
+
+The `PID` field has been removed in favor of a `Network` field. This facilitates known use-cases that require the container to run in the host network namespace.
+
+`On*` fields have been removed. The `On*` fields provided rudimentary event based mechanisms for executing arbitrary logic. The semantics were unclear and use-cases unknown.
+
+All fields on the `TemplateSpec` will support templatable values in accordance with the [`test/template` Go standard library package](https://pkg.go.dev/text/template).
+
+**Workflow**
+
+Tasks no longer feature on `WorkflowStatus` as they pertain to multi-worker workflows that are no longer supported.
+
+Reasons for failures have been introduced as a core concept, via the `Reason` field, around status reporting of actions. This enables programmatic failure reason identification and comparison. A future proposal will address how users can provide customized machine comparable reasons for failed actions.
+
+The `Workflow` provides a `TemplateData` field that can be used to inject arbitrary data into templates. This facilitates users wanting to model variable data on `Template`s that has per-`Workflow` values.
+
+## Implementation Plan
+
+1. All services that have unreleased changes will be released under a new version. This provides a baseline of functional services that can be used in the Tinkerbell Helm charts.
+
+2. Develop the code to leverage the `v1alpha2` API.
+
+3. Hard cut over to the new API version. This means versions beyond those specified during (1) will no longer support the `v1alpha1` API.
+
+## Future Work
+
+Introducing mechanisms to propagate reasons and user readable messages for action failure. As these mechanisms do not exist currently and will not be realized through this proposal, the `.Workflow.Status.Reason` and `.Workflow.Status.Message` will have minimal benefit to the end user. The separate proposal will address the contract between actions and Tink Worker that can be used to propogate a reason and message to workflows.
+
+Maintainers have informally discussed inverting the relationship between `Hardware` and Rufio CRDs. This is necessary for defining a precedent on how to extend Tinkerbell functionality without expanding the scope of core Tinkerbell CRDs.
+
+Introduction of user defined metadata to be served by Hegel that could facilitate user defined actions. Similarly, injection of additional `Hardware` data when templates are rendered will be addressed on a separate ad-hoc basis.
+
+Separation of `Hardware.Instance` data into a separate CRD possibly owned by Hegel. Given the instance data is unused by the core Tinkerbell stack it 
diff --git a/design/14_tinkerbell_crd_refactor/workflow_state.puml b/design/14_tinkerbell_crd_refactor/workflow_state.puml
new file mode 100644
index 0000000..3b8c2f5
--- /dev/null
+++ b/design/14_tinkerbell_crd_refactor/workflow_state.puml
@@ -0,0 +1,13 @@
+@startuml Workflow State Machine
+
+[*] --> Pending : Workflow reconciled
+Pending --> Running : First action requested
+Running --> Succeeded
+Running --> Failed
+Succeeded --> [*]
+Failed --> [*]
+
+Succeeded : All actions completed\nsuccessfully
+Failed : An action failed
+
+@enduml
\ No newline at end of file
diff --git a/design/14_tinkerbell_crd_refactor/workflow_state_machine.png b/design/14_tinkerbell_crd_refactor/workflow_state_machine.png
new file mode 100644
index 0000000000000000000000000000000000000000..2470709d63cc8dc17030b66532a2c0b1aef03c4e
GIT binary patch
literal 14834
zcmd6ObyQUSyYI}%AP#~c3`j{SoeCmI3`k2$gLDZ}N{5UhB@zZGqJT6AN`tf#Vjx{2
zEg{_<_Zi>cIqRHz&RX}Zd;htAyz7-cdw=&gpXU?Lj?mIjBE!&Q5C{aBin6>80)f<r
z|CUKmaOHM*J16{)+e5+7!`ju&_m-`l2SUl##rC$Phpi2Zl`o5fhliVlprG3=OBWAM
z=UW2SuFjM~;*8LO_Dx+wkAJ(4KteM<uWme6*F*_Zgf6LX%6z9(i?4U=p8tpsa3D#f
zpj}Qm>*(#}JYUv->f}*UyzNJySH8(V_I`Lc@b&cepv>Y91wwX1e(6NUYHv23S3Jk&
zYQRkK`BZ_tk(-gMpQY%9^K`U^^67EMcE{6iwbS)Aqio}O|Ew^FH4|5!N4>t%Oc8ms
zK<7-HJZasR6`{<2W42BU!_KM^P5dIa991(}C4v;r^pKlxW0&L~^qKr3#CEkVQbtw2
zMMvvq-vG)hTOChalb(F8rb=Tf^6^_16^q#P16jYJuoWA$?BbIjUAK{n;;j@Im%OQD
zffpWMUM)IYj-3?Eq{#ijGbbnQoG27`<y~B!w(*4#8#1D{uTv(rG0O|;`z`#xvjh41
zZEWtJ_x!Y*r50kYY+3WNY0E~|cG6)oO6y7CDzV>E=_^Kr6FOz8KJip60&$sBMP63d
z=jXy}e?x4~@aGyQ-)|xf3<)IMY?T*vAFcXzUN`Fqqw-UZ4(l}F6{Wzwci?FjrlyR+
zqs(H<g}z@qm+9&wr;tM;doDmoTU+FNz6W_|@19g%SM}bI|E68={NVi3bj-o`JgH(k
zyViZ_;@<hvK9TJx3aif|7L*inXbQP(gd7PLNAd<m!m5iXyoMnqEq583otqo1@?JVC
z<u^*z#USSLy{*lDObaRh<yUQ>|K!)WA3uIbtrvLw=}Z)JElSBoq<&94N|6or>u$s&
zkKMj=$H)}g`n*lMzBI!8t+*X-VB}DH(Vlk6V(0j&vjxB40@0JFPyM@-8XM(ln6S8K
z^)H02XH)QF4PnJI*$AsO(+{^Zlx}>i<iqjc`!8{Gb9?F|dTo(9$i}jP3U}+*SiGkZ
zUKat~#^U-ZSm1RE+m~atkelQ|)aj`38x8Md;hJ~9><bKwm%63p7<BB>qaZOcu|xH6
z42vqejLb-j3~92Ie|(byngY!hdQzC;D3VriDi-EJ`)(TkSeQ2Q!9K(B<Hu=GSR70f
znt}(fg?xa4m;HV1{}-2TDI*mW6f!b0ip-?~wwJ#N*6q)}eSf&|K8VinduC3L`%rD*
z6+yum3=55Zeem&9G<=3`<BcaC-(H()O-V_4%BlHqV0HEO_i-!H3s=R&%F9RYnur}V
zM={)}@>=-y;bIvH>5R#Dnt=k#hQotBGUi&o!7^v3_LPtB>kd`X6r_D9(;GLA_NQec
zpT$V;lJrf^4-_}eCrSBBc+B7#w%K`Dq@`>1-s<Z}tLoH83f7)sWK=^_Fz6%R8UIRF
z_<CijI(V)q=;+X@x2?@}wmYZUK3kA@lsZ6f!fGR&PVU=_2C)JLSV<am!0H#y3K~Jv
z3j9r?y0kRwiRP%K;hM;|Yk#tmhd<om?0j$f;lj<%bgv$@B*~qhrA};N?i0=YMn#Q%
zedV^_;+vY9bWWzINIJBqKz}U#T3?Df!&rLr5+Wn7`S?`mXSYmA+O)*BCW=L(V|Uu$
zTx}A`{bgomW~}t4^pwp0as%)C>dsV!$i<<mtjx@Zw(rbpW+x`ry02@Bx(+i|X&V{c
z+)mMdXG(YGOnAdm-}@0-^8ia0D!yvJ4aXbkmc{1DZ_kyY=r{VUV>T9t{J%cqhH+ug
zDLEtA+G#U04yDFXC)~Xy{MKj0MgqDDEU$`8FiZNR=;XNdu%X;Vt*z?u$W;B9$g|(7
zSDG2Z$eDJhWsbP55IZcl6(5~(KROKLyRM@%zOXP<Y~Oa#{s+rLk*f;kKeGMmQR9~K
z!Hy3fJ`{??1<vJ{do0y-O6%(CT6B>V&(GiLc4$QE>*>ilYfA5&`?)aPmVC6{rOB*o
zJ(}`T<mLtFP~hGs8RKQG`G{K_#+HKW?94+$xDx9~Lk=magZ@J6#l^+HL%~lc2b~qm
zC@Cq~To{~~3iUT|aF~IWaQ`ws*p;O@VHHB(_{pT)r3p5PeUpNW-S;!C4gqVeVqvG4
zqvsgdVms|yUxrW*VTx;CJ$>>-i%NE%^V~U$v1q0%E(1mAv8cT)56#~1>OaG-XKAp8
zdCv9P+SxsvrWY3%XA|b)Qoh6AaD1cln&83eH^CQ*tQKiHKa3M*uH)xjaK~SSM@Cv-
z#T&jxx!HQpv|Fx>H&JnFG|t0`dF0O`{rLXC@8342dFDX}rG{tR?+?Vt92%ByL>lRC
zuPnf5M8(oIk-N7Qm#-rIH|G<CEI&QO^6u~NH^(r?glM0j-7*W5<+?E6k*1V9qN1Wg
z8IjHI@Xq$Ptb)8e3A)8DRTEiM#cGPL#A0!I8p!0pO*#Rk?%VE7)|bwmBWk^&8+!4=
z1tEVpnE||KF?gmcUKaZMZrN|~N4xKj<U&xEYm?8-d$SS8#3!UrGP5Qx)$WlCI1E*a
z8V|uri|kWq{JLvxZ7oWR3sp8PvWc)ueSG{pH|`QuLn$JEsHL@4fsLNl>JksnLkvrA
zD&Bu<k##hqDpg1>@se{pqM7d{am5>7U*E~;=`^`3KFby&^GyvxH_#TFaOkrW*c}vV
ze&SIle>2k1aJZzusP&xFPg9H%isUG<M2FK<MMi#m%&ruBYPC9G=fdeiPewk}A%u|Q
z<c!-p)5%eiTq?+-f7XFzsH20@M1BrI_9~v=1fsbyH9}HK3eF*KQrOUkJI7f$>Cq_D
z#_ZOIoOcd(HyU0WrEe_^ZoT#%eoXV!j`D0p?_jyBxuIdWkuF(5{Gt`{ZE5dCMjh0#
zV@-KsVM?E)nLJI9m3wY~Iy2r}4YL{wC1WUa>Ras6lsU++965WN!sHJ`HLL!X;GY%l
z6B98q0-3fKJ4_Al7<-95dGdsX`kaKgIKN>59>b!aj<BxqU7LcP;P6l?XX{muW2uYz
zjc$&w-@Y-scNHa^sbk1yQ>l}Fd7KB|orntO|C=H(EDta#C`hP~AF>fVc*q+6y7YgW
zMZy<Yhrgt0B8^8*^WeFnW@cvA*FB8THg<N+jg1B2kW6h<uU(_u>}0rd9^Lr)vvp;9
z`U3@dG)2h7?Ce7a+NBaojPkW>4f1{OZWvvL>?UnwWJKOmkJ^^s_nz%OLFGVF;08&T
z_7UAh;;sE3udlGLt_);cd#;_PSZD}82&QLdN?f^eWj`81rK&0>G6ci2DW|6wr<!rP
z6wwX~va+iMgZF2ZkT8~{ZM3(sIY$bKax=s@-|P16`>0CqrRbY9kgDgSAri|XKYskk
zhk?Y-e*XM<Eu6c%aO8bR(_dF6J{yrhB=I^c9q=MKxz74?G=%Dq(9l}fraYr!yM>>n
zuv4mhR@gKdvADBwds|DNo0|oUiq3I!|JmPJb7UCXTdEr=b?O^$iaf=5x&Em#I#%NL
z)c1rCQrf$F3+0Z9=lS{hg@j`3E^8svdtt67e!MRWd}m%4J&QOBhP#a^=;(acXS7Ro
zxC8~m(1x@rsBrD{^mIlE59NG5Em{%`X8cPAN}0^G%8Q?kO)g))v$Ior=QmZ76%YOl
z8wbbKRBIy5i4H<<hieAY6G={-7~{@Fg`4s4@T8`uo>b}>{TR%k*OjV3YHvT?^VXox
zAmEbg@cxkZ2)2t|@zL`7dY(6WeyHmCYswr%Dy_V7lnj!b@p6Gv-#ej@<m8d3n$iP+
zwGQ^S`l?X(gM+7A6YU=!qTJoxB|CHxkL}^qh$>Q26IMmI#<GE!%i_zE^PT11xgF*2
z<_&aGGf|FlSM%$ISLLrG<&z2u3XHi&m&Y2k>IYrxqW%;W713R^D}k3ma)dlm8@N|y
zXt%rmM_O7M;+i4p2y737ud^`9?ac_zq?!K03CM{rFFEsY<MQ;Z$;DiLQHXoYv?IkW
z?rn_(jVvEdobgS~LFmX}a3%;$OG^tySGeYHyhH#*ko071C^^&5Ts>Z&u~xB>S3;Jk
zcp0zx7u16!dvyR}PMkP#_UzehRUJg{r%=c5V;g<uuD>dTFV#5p2?z=bwlWe9*b7zU
zYY9)krJ5~(B9ymb(_o!%J*deh$4dw9van<zTsqUgz&L~g$3CI+iUM|StC?4NoLG^u
z{Yss)rBQ6xx(<;t?9(T?TORw{D^|kYS48fl!11->L9=)y`!9ZgbC7RRzSx^@qAck#
zL&4Vd@#7m!QGS!MfT;v~kKmoG<h!4&Qq#=*{3J3T2hUI7_|Yv>Zp)*xYC+2%j~9t+
zA$1YLzE^SM_4kg2EB@+a58}LZsn-p$G*ZXh6?C*WGM9&+_#9*H2be||fyMFVA-caX
zT)K7HZ{1;Nas%yl^CtJ~0t9+$b1XG=N|`w?+M@Dm82Rw<@c7&9Z69e;*rm4Ah)j*w
zgs8T&Hk~ZtIXlyl*12%Q91;B7%r6I4^R0e9K!DpG9wN(^wam%8GSwUMR5R$M1AGAS
z3q>*g9kLwyB)v$>(9jJrCT~v}8JS;SD8tkfFDa-!T(@ipwZyg}$WNT0ELMtU{L^2^
zu47#8QUf89hTm8j({B0=N8b0|958iRSlDr*b%_09j@=FriV1^K%SJT(s`TXL<W!Pm
z7a@MI{^8CvA(GZio12<4&d0{a;?P>iMk|caMF<bqGu2L<I+ZMb$8K+Pq2uND%4g;r
zSnK{sl$Eu0O-;?vuU}?9V<E6tscC3>D==6bnqrbGg`6<e{~4YCKJuA}66@t+Vr178
z!Qu=_|9kvSXaFKLL~i&O0p=5?Lk|8$XpgYX2>&8P@bkr93&u^n78|oYe-9idD=Vv*
zn8C-DAb=FGCzk)7tJT$2*fKnZNJxTQTwJ3Ogb<K|_oM3^lrX9d5Z4sO;!e6B?(fit
zjhAb~nJRZ4yhMm0-Su#^I_&h5P%x>wMn+%OuAyV;vvYGXWMq1V`<&;`+uGZ&{f5-Z
z1wsEgze(ncFjPW90;I+1n-G{5_zE0*c+e#z(Tw7!>F6SI$=bNFIL9Hj{vun_-1aht
zBS`tG>gtm@=_utPZZ0l7Norc!+S=OEP?i0paM0G`5bP3CT7kx<Cd=f=$VgveIJ~Ex
zJ%7&0!4Vn~64J*@PEJ0?fv9@OG-Z^A3NJl|E};1Tf(!lEPFOq#!uk*WnYxZMG&GDQ
z2B@hx4ya&rX~cCvsw6Z}NajB=nv2}^U%uo3K&q`P_FghOSGzqP3Hz~mI$p1peesDt
zN9oY<x%9I0SAqO+jS2?sd}E)Q`twITaM#1BrBQkIeDk9(@|!6q^OVsPZ?)>-IO@MQ
z<5w3nDk8!@0L()}OUn%0DC4=AV{e|(bAcPcxC`s=qe)+ixeix)I?>WT2kLdxHY9+U
zjQ#=o*U(VRSt*{=@Bf`_urfL6>FdwhrG7YN@Xj<r<fcxQBZp>Ez`{?_n<M|wk8ObO
zTXTI&z_;3^bn*|5#=@A*d?({zN2M%2efg3n{zJgdDzJ{T{_};yHU7tmh%A`pDg1nW
zorkN9_=<ry0eE_Nb3pA8cLII6Gz3ZrvnI$ir5I^5bvwIEWsf^|{2`xa{DGOQ1vXOA
z2-_#D;<fmlDZmXBuHK8kKBB_kLe#C@oqcQn;}thAZ`aTEO3yhR9i7#+HA;<!uv1E^
zdU|?ChX=_4t12a%ZOJl6K;@);mT_WKH<_37RWsy#<{?5_21g)|5laSaYw>lZt5D4!
zL94`&5p7y1hS+<49X))Ad4XDqfBpL4$CagUIb1bs5MO*!(%t!f;cQjRCymz<`G$pZ
zzl%Yxa2cw!L?!mN5?wK}{?hW!!D0>q^HbE%lACL$q7HYz@mPF+A*@4Ic4zuWIL@@I
zG`E3$lSa_&(H?82=4*+Nw~}03EpD%keue>?vG(nbRoI1`APj`SsPLpqb>03dX(nK-
zNQRs|RQdsJVrU#o6@e9Z0YM>AR)Z7uN59Dy%aRx&eE#}i{&k3UWJrFra@V+oVkymY
zh^W@CumEW&IFXd%+1Xn&9ap(n#Kq~}P9)t*M>Vbz*om^zvh^ka*WRDy;o&5KnAmtq
zBTLQQeR4-GHu}1qDF*ic_yT$?%PgwGt)s-O#Nn~Wo4uW#KQ5ENd7inrkByDVAvraZ
z<k@~sS7O?~%l}-ApyDhb;6H_3pj<+cYO^T_cjoA*s2)=mF)`W*2i5R_>})P|^n(Wv
z!q;zhW!~&Xm0S?cv~jHR<RMV2!=1LEaf|>r_Xl7Iu($16U!LzIr~?2V37pb+C*@Bx
zDZR7LgTm*}4gO*9CVF}yG=g3T?LheZ*m3gx{k68r1m(f}yu8NORBxw&l1xeZERTYw
zz*b0(p@?C1doO+aH_2_B%X2|<#mcla_En_=Nmf=Qk`FxwLjw{|!M8c=zr?D|1q{eq
zHM7hl3l-i(fJ7tS!@f%1yD-Ey>AhPGp=2On9fry5kL_;Eu`zA^womfSRC&swlc<mR
z0F-9@rAt>P2n9}OgZ5X<YW!Ghva?$n8q#D%9ptVORVFyN(01H+EH<n)ue&=Exb=Fm
z*7;Wj<<8vMoT&?=of+34M=MBQe(1IEGjR7$ma>|v>V4_h@J;}cPwrEUc+K}yUW=v|
z#Uv0YqLs~;?urdGDGemSJWTenimaR-#~}%!#e1jDO19sq&C5F}P*0SLc*#2+YGh{S
zV#9$Tn`aK%FEk@(uF^I(&P})t62OW{n!eNibMw0$KUIz;oH4pUTxM1WEuO<@UE0{g
z{U{=&wrtUXfq`$&1r3@D34azi{gde)5K<f~A<GeRAgF`z<A2Sk|7QWrBok%{k1DA>
z4_t%3qod=`pFc&ImhaymMMPLqYJ-gUEIyuXKI6HKDkeN8=Cg;2%85u2<uIRndaxY=
zW~S`avGMVt5$|qP6#*|v4FFKen0pVs9I?IBokPWuPK%)eBJ@hwx_LBd<ij0%d1>h?
zk3Sb2ySZpcfn$Vpck9~Q+lP$+CZ=?4f?gDo=H}+=^2BAM@en*78U#`TlpuwkjelT~
zW@l$NA_$0r-HxSCpHfk`*Z6x6d0P;;R`UOZtvLQywzBcRu@z=4ZuSQtcA)6b`HY@C
zd**St?^~+Aa<DbB1o{X72Y?Bqgp8aI5%l|~5YoDXO_S27r}6PLXU?=RGi4)mNXI88
z+@}qAL+1M4r%BY;u@WEv8#_Cshg^M{$;rtA#2iW&k#q0avuCjHa^gs4QL?hKl1;jZ
zj&DGT*x1;*zXJVP00J>afFqK^!orYqba`LK#!@6X@Zejtw6!U*Sli2YiBFyVmHiUZ
z#UpxA9sz+L9)%KCjU<|yZGLTDAiB-RKyss_U=Tedy6iSu59{=a8Wb7lo?NV{+iW*C
z6*tS}%Ra-^zL_(Eh&wADKr|9J=KA{1$Y|k4Y6F|rpPau&FX8}H%jhjh^_^)ArrO*F
zE8_actAB6(%Sl)`IEXR*AMRwmU;;|<J>g>0I%F2VjoDJ`&*Z{aAl))EC#R>M%NvB(
z1C&&y>)qCiiX5tNKQ<!0(n!T5;bB<fKuP0sbg)InjE;Vmm55=9Nk<Uv0C_SlyA?q~
zZNBlRYr4n49NPsFY5@cThQ@i2{W=^S2Fn%_U2DZHKM@6ZLK?BI{WRrhI{y#*C<G1$
zudJ@FUhb({s=Y=4t-2V{VoFsr9J{l%0bapMWxPMhn*xyp&}+jwu+Qb5)yZ#BJF3@_
zMUhw<8Y@i@js$6{0{6UtfBa=JT1b%Jegg$}I|@47nWnt0$b-X7CEwjWVIC3f*Bq4L
zS_t~B)o$=9=~%Bc0NsB<^)SWu;K*TUze%M>jxE-0f7@LR7}8@vui-{mx9K0RS+9nQ
zIR9L4jG!9l1@&8`sY&Gih$N=o0|dnCnwlm9hZoC6aOA(gK`g@n%N;sW4c?pC+S<O@
z*xGXK$?btyNy}%5H!1W5f}x%mY80m`3Q98}mHGjG{o9LFylgP>hpMV;#c$rcArW7p
zx}m73*p?(E9C=wyL!-GdjQK7X4G@|$`rRi-0qGkD+FBICK89Nc8yc)Z_e~Bu^aVmF
zlE_JDaP~S<R7Xq8;^W~FoZ*72a&jQSqba^|)$bD>KdzZ@;k=||0MPn{!E$d8kNy7#
zaxg;BQk~|HF>-5){kP<R&>h115M=-V0Y~_110sc2Djtaa+TYC#sq)t^)27cyO_8+a
zw+23SsiP^Jf%gFC%Jo4rUUmZ&9#7bt7jQ_5dqvm+;HQ5N;~fGyI6hW>^WVq;oX{Ct
zknJ7#dG(NyH2k@FdB2Sav;tzA+|{dCx+5Uy5ZDPPKIb0D5)iz&=ilJ$?504#^u3*f
zu*yU0=No6dp!o>74MK<Z$FT&U4E)AKCS|u|CkJ{bf`Ap~<m5=cfhI`NXf%bahlj`A
zyN5OYTPNjz!k}8|`hnv0ZS@RQdGqq{2$)t-(9(uU2?_{I`KF^<*tN~fl3u(xLqkLJ
zE)2p7pjlC;-Uo^3TcANYk9`Uuj{it*UGBRG>^hpGq2)1q46}^Ok0`4<{alNid_jOB
zUewpux3_Dpxzc(ffq+W?299xFHqalaIn5u};3z+T|FqJ!V#0Qaef~U4Cx>slnk+xi
zz@V?BL?nq6fGR^tgOrq1S63H*6$3D%0-TW%T^ppd?+@$hf<WmPomT;YikS=oXkH3>
zac<5@DrP(&AOO%x(;CQFcVgq>CdbAs_3A3$_BaX(zJ~!NF+syLC6$y%`rFT|?%zjw
zdv8@&OD3_yWlZ<J_GH=5x?f<!`1<*!D%M{FOX(?vPL$}9rGtY54u@!?hE1Ie3bQUU
zFQA*L`?{I`LMgzvBtc+&cdjvb-b&owVIo7usm48i{IOUO9lQIcx|(st^{Q;#>(^wY
z1$7kAK$hde^tAn*8!LqkK>Z~HbrHV0pBfsbzb9Bn`jg)=QaMt9yv73y$gUJ!(vdu{
ztp)owMqXC-p6wBdq4_Das;a8bCE#;cK#hWU=LH&tiA*f?3)Gau2*|;uDY>~{M@E7M
zifq4Leg#JrLhEV?%#<O#C{BcfmfU82rXwOELb4dP2%YYsl%yo^&^QmR%Z!ZFggH$o
zhL=$Az~=dSMP!pU6|^$28d5&Jdi5%=``DxC=&5ZvNJ-alxOxCq&jKIay?Zx6gpg3I
ztgK)asAc%-jPn(*g~b5zTs;EVz<BA_i`Uin-d0rfH#LR)z0Cae>sQc?BOgATpN<85
zG_$z)<2ktw^7qKnZ#tQ~)%Tf^v(_*MBoZ0GOoz2tdJr0Fykls=A@@ko=5aY8cN#0J
zs1y##prj=(yE*x=o(9?Fs=hwW&xT6}O7%*doSer)Qd-_=0YP}+L)4NrUZ)omAq0X9
zFEdRXhGpZ|$<58pDWR&<kgp5dj<f0FU!OjEc5!K`Eo|&`s=dgFk|MhQT20@#Z;>()
zb7hZod9Z{_T(6!yIqmK3T{Vlgkpx@>S!W^{B;2M{{kQHB#s1Yuko4k2^g+-#JZ0Kj
zTU$GS;yOEsZ<n?@iD0j&$;%T_*Y70?pF&GYN)pyr%a|7q88edp#CY-qsW$TKo05|5
zp&=<w&M*Z_Ny6w;C}6b}qZvOywxLmQUfJ5R4`Su1pGvrBA8loJ+`_K0ePW-A5^K?L
zj)S9UYcEa9)HF{ghx$^I1lB_E_v9o*_BBtx7?Ph_oBKhIJoWmNu0OQu8Ibu%;aZAs
z_b>&HBCgjR8h3YgR$}lQ+ghWgeP$EvdOY>H9gIijmaar4PmHm~dY@yM?X|U#y~?(>
z8NtE9+d<d#_2XBENgT**?Cl#+e1<&r^gA<YF)0Wl838R#O-<80KC0{ZGK4Wvo|!gM
z|8u&^(-b@qknSV##Sj%3$FzBVHlUu3Bk<&8j`r7pR3?i$#e2la&85J7{QOZt`1d27
zic+K*UsF?1c_ENNH|Gbsnwm1ehJx4tCO7%XlOEX|l9I1h%$I)u{(V_o{LA6=eP<$`
zdQ|mBuL;2i1<+|#3t90+GtnbAAbT{?e@Y@N@h(BEz2w=5JHbB>i`%5<Qtqi{NB}Xp
z*4zz2f2KC(){j@>d~`hZd81`(pGXD6N4>qghRd88=2E9*_ajKu`PG@O$+Vv4saM<H
z+w=a@+0@bD-jS+s^6tg7jVG%RV^+HOu7zTR%y|)gzaW8&Gsb4%_R}WMn|+Oc^5lNk
zNB847h&62;9jj@WV&ZlhimNfeqU(UY1~4vXV=930Lh|U-U6U?ka;w$PGc1IZ0KanY
zQ6d)ift0>X6G{;;yERZGbGQ;i5K&i}XzA8Gb#ac4Jn!Cs><y_)v`}5Zthxd`+Vj`q
zZvj2cY2$EfP;xexyuY!r5wZvKdC_eY2Y@>r-WQ@t<dlzxX%#RmV1fB(O+Pd0{;CVK
zORkL~0e=1_XJ%m#=ncSX211A7ws;8-WFflugYVx5L-lKc_E~rsD5u`CCKfDP@aO^-
zKTN0JrPD$rll00VD~{L?-<#L{aM0%A)Ogija`S1Cp!=`Qu#<G-v$H%rXn<2z{S0pr
z-B{lv14&SOG}P7g_Cu1MJn4LIE(6C}7jtG)ksI+GJ$U5x34n>isbdNH`ud9U@&z#|
zg&0EsQhGNs9b#Td`d*NcIRb6BD3|GK)9EP3>+h{}Tt;f0WscDSfhj81Z~Z&P00#4>
z>4(ak2Z5Cjrx0K>qohx}-)265G%)Jk<roNyYT=v0#_iryMXn#l8sGu~z^$0hpFZ0I
z;T6OUMwz?&u)v_V6PPVlt8UZ-)HY+D?SZ+*`!zDZv541(ZLDLv^{qjF9j*gd*5-4=
zIf`B?4dOG+cbN1GFN1K`wQv4<z~Vhsm!-|pDF&^2Sk+Tp7R`_7D$S#yiUR<X6@5<&
z@K}}13LxlOT3YZB{P0Ls-o_@qwy~(_g3T}t2ZoaR@SbW|i>&!B*x^~4$%l<pnjZ80
zgzX7xaNPI@^0$U3NEFt1@iiLXaZ!XW;=Mxjm=r<IvAjpvO|$~0?P^P1S#59M*YadS
zpf31M0N8wT<i$`r;CK7>1pyb`^Xum!Xs|joeEI}ok3rOtnv#<BcKh>aHHwCygE@1m
z)2AWI#lE3#^E7Po6Dmga&o$mUvv^?1fT_4W`IY%_`MA8sw|IV#n?N<GJv#K4w*X8j
zdQmubdvnnB8XZVlbjqKjNIyz~hV>ZC{NX&Ki<E@clCbq=oKuasrBj1icn4)AC8cu5
zo?OtlS5{U+v2HW%tZHou7nLp^KNbOcXJGC<t0dnkx?>Qs|0tW6yS!d3u93*ID#yTd
zucf`;3Tx%U5kkW+Il$G9e`Vi#k;RKI=jfFi`6X7p+ubh2)&?EjO+PwV3hIlR{`+h}
znHgv4H~{)=XT0H6O^U!8nOkbe`hfx16+f(gwzjJ4mLcz(>(m2*&@!qof64om1CSM)
zJEUM^laA+R#>SZADs3#J7z`NoY=l+m&qC$B>H9+Pm=1zmepOgn>`<~RhHFP47jYo2
z<n>JD$?q1ydvHk5I0L~nxp46!sJz+<vag_kLMLEyX(=Z2BkV7CS0!#IY4Y`zm5+Jl
z<y-d2fn{K=0OJabAaK236)UiZK^5}^x9pEszTg2t(gfm^tM?XsE=DFM(d305OY9Y0
zyy&`w?8ynm(^>b%%(6gB1q@s4iEi0EEI^_yvNGP?gGOEoTZf*TfAr`PLFTD};QZyw
zmlt^UMgs`DuSIU2o{w()eAXW#mF@0n_vf2yYYngIB48^rNe5JTY{jd~-2SZ$N8@on
zNQ|&$fyT&5RKYTnV=c&J#MwhT9*QiFs+8G>Nu&E!H7N#$naesTaN1K-Q%RD(I%O%^
zrM>0jz){y$S4)Tl6Mg1-^IyGU3~-!eNsRVv1Ix?IOrWYmB2Nx&7(tNdppc^n*icrI
zpCg<J9Wcncv_rb}@Xi}Vj~5Os{o7FC`MmY??*sxdxUSXw^5LH~{$j?F*`;8y&xO`Z
zm9%aU5qyeeX0%8<PLi|h+?6W~e*lIHryxw`PY|5sQ5lSzhlk|y6=0`2O=l%YNJxAp
z;|x;paF*${@cf&98%QZ<#Se<QOaK-79L1!!OOLgPl#(R~Ix~9ppzTst!er_hY_WYT
z=`MS&_wSDxAdl8$j)Du0zL_7c0)dJFyP(UpW+Q&=^Sw)bRE>scHDI!2g%|e^4i=P<
z!Ng=w4irW;gLbb!bwr_1W`P@eImLvspn`{nig$ia`Q0y|0dpn$-uSo`QCVfBm?|)V
zd(v{JFLhJ>m5kah5QtQgEx}2V{PvHll5~zBGR62j5&5j0)9`|4GvW^>*TuRUR3}_3
zCpRZ&7D&-hU1I!aS3;wk_N8?h7x8uKXDKd2+O3(0O^L$XVdm27^`MtD$-LD_lDw&d
zz6C`QLPA<Edl-wG-chIMk$=@fI3df7Nh{z?U2KzNCtgmt;_Wg-ZDAov)4C4rLov?a
z^2ala#g@OXJ(#ssXmusy%h`w%4sL6S4~}Tg2Kxt3uh9vmX_WggC61u*W@)?@Q5q6f
zMD8|QcLX+^nxzNh=N9PsAk!bNXUXIo9lhW;Jd2v`%pj$ifl?qSqsYi>v;u+#r8G?%
zj((V)cyPNL%#~>;LT<iUTDTfoj%8+!c^xnw!KtPB;qJli?=Mdarv<@&AVl%jrr1Q#
zrpltx5S}wlw2Fe;X5xcYKL4w8Pm+_F-zl5U0Ni!EXD4|k4G}m|I8!^uDJ3;DG{h7S
z$L8B-=AgVd&UjZaL%VaXgYff6%eB8?40@5F4xtY-wlbCIs_{YyIdJxhms&tb52Z3h
z2!*8n*u}*^{(G_aoZpB%_yLth_dLOTquA#)cn5P`I>mB5Mr!lSt5pzOYxY;a8LD-f
zNBxK1A+B=%fm)Do0it7>l*DYtvzvUlJCZa5V*4}t_zX!xVvt;%W;=jPj5D;dyeTX{
z4-#E>-O<3Eoz=<lw~&A7S8`la90rE6-Aza~01#O0uC>X0E^Cfv;+1${od8ONN~HMZ
z%gV>5QhDxC^hj_82DdrH1?T*o9e6+YrAzvcQetnA2{`FGWzc@2OG6B-7}|_1TjP+a
z!uJPL*0D5C<qYn0Ib>OU0h%63sC}@a@t%NqFh@=cEV9{^H2)-D!iyJNc7cI`8DdNh
zam2YR4h~SIsNmc<deL~&VpiA@WP<v36@sC9j0sYxT{>z#>NDG3DDyE4g&;jGnI`~5
zuwV1Ek+ZWOTeK5s8>$_gHN3<gjl{2Da5tE)#XozN9d#x^@hzj8lp+~cD<%N&SjFHQ
zD=uP|9LnOFH`&n`FcWcD575?j>efKJ8gt<|xKgQzo?(bl*d&t~?|i=a;H7WU6>su6
zjl@gp>1p)$U)IgL%<$mOrN%`|Ddn48yz#F$&WzN_NM>)u)qb=u`TDWjy4%ncx$F1(
z#l77HpZjx2dyE17LtSqRoq?#A3mfM=b?d*z@xDR)K_(&k*iJVM);j6p@BN*|Vyh<1
zxy<zR@E{kbsR%E5@YCGS(b3V3e;J2pev)?-vWeDe(9u><(AJQ5|L%27sf;}hr-31%
z+a{q{e5eFDCn!@;2lbJTnmRo(_@54?|9gi}PrW25m&zKN?0keHs|l0f=II$ySh6a2
zp6D~T8R;8WHLUtSQ=JT){1;g)+b~ORg1xqO2Y6f-Ml0`DK>t)tY&TWoLTGbRFaNsJ
z7NMSk<^N<t`nMBu$WD_s%Iq7J9*;Hntxofk@Zkf%Qsa|)B4W2pmw#L6&l%BpJ^Vd0
zPUA>AY0Nk1&gl3@Z3i&ApNLT#ZM(`5H(Ng@#DS9Cq%rd<FLiI<1{PjzdtoR&>$Wth
z%%Vx8(L|D^EJZ28R!J3h<a>)aR-<v!W2?Qfh)MIDTk=f%n`6;{cNM}1bBDDWgD@`{
zx(+DoPqsa5%|SHOXsmnw>(+KVdF)lmWesIzEt3I;hXndj?2ux74Xun7`RBgaCN?Hb
z4+d040z<!WX~?h^R06?Tt<-4P1kF62ZKIj@vBDwsH$vG!Z81Yuy3$;#?Te_bFAk07
zEW#Azicxd#w0=_DY#eRp(9gyjZ%A~|`sjDA$QuwIN`;`neH{ruYbD-wpyH`NLr^<q
z)U%xi=H$&sjmjn>kZ8jmhKEos7!iTd#Xpu3&PMQR*Tb0tALP7qxqgj?NR_{X<;Q4F
zV?Og*(={XfM)e!zUo6Zj$mWwDEWh(qMu>Vn5Q^m*qzc9q7^Cs<=*w{mzQL7rmn)eu
zeoF`Ldz;Q&xGmE&ZxI8mV(lqU=sC6gA@*u@JR!$<5s?qc2QsnRlxHVq4^lPMn|<Ly
z^b~`)rK+?GH3`;nd3k(1^&U{vl$nvCT{ZQ);grmSh}n09wjhxQKaA21eByZ7@qpcJ
zhGTY)gtbaxNPZ~k4DqI_J`%u7!v&#t-5wsdZ(H%#ck>w*AoM&GGkq@yYzuu--<1ES
zPwVK!TR|s}MHHpkwzz0t(w?*L|H(57GIpnhG{Lr_;uR5jh7l6=UK&=2)7m;RP9GL`
zA8!OmvHqIG8q0F!cWAA}(}fsI7HzMRlLP!;IiyojPyl+YT~d~G0U)D8XZndodGw3v
z4=jB3m3Wl_a4l}#x&@Bv0(Ai#$f0VFuwU)8w~7vgPoDc49sj2HVoR9Icp5LF^&DSl
zFLy8080ImVaRCFkYBDcY99)SII3Z0dg#Pg11DA>JZL(yPFPep1H0VQ5085Ve@6g1=
zL|s?fy6+K$Zm}jhSp3s1M{eAR8IZHtBY<7Bb*BT@JCwY9K8%I}0z60z!CmwO)ekuI
zlbTuO{0g6yaY%*Wf!wDuh9WfUv2VOAGBV~DPp^}G7+YEz0r2?xinrV)64us#Uc)s=
zDd!cr>vi=Sl6doLea!u*9O|dlPyXRNQN<=8@UEm}T`Uqs*7W&v<n!TbS5&;9`C)CU
z?1y~gQcUY1NKW9G_Ow_%H>d|`z>-oO-9rB1@#DuG#rB%#yyklO!CR%u){cB{vuEAH
z@zv`=>`-d$Q2T6zrN#S`C!JA~U%WWVkAqt4jy%Y80HoX$Yg0#QO^qmX8QNVaA8|C}
z+70~$A-Ub#`OD_#SoLQMgxzATcqmkDP$aLYn5uGn@t61&U4)|=3>Q=T)m^xvvJ$qP
z@Tk)pJk+nH`Py*`v&_=!XsY=;Nu<6>AHBxdqXyc?K(u>fEUF$f8k?|z>u0l<z!{hV
z>!z@LyAF6IU~iCLpZNtE=<7qJM<<(%7ndw@T=Rxf%-PB7`WekZZf<TWDiJz@i@CWx
z=H_6NP1A4dy%NcGk02B?gU@mD%w*3IRF7qiZXdsQ?;a?MkB*e|5Fm>|<;`dH;Kyl?
zrjMWkD`;<U<k^7_qXFMb#AQQbUnwpGq4<r1g9BtGF|p^`x+Zz)r}!5436+_pjy-?6
zvf=`bCX6>$SFQH@vQR`=EEa;sjk>#mXM|sZv<oD>L>aOw6qyYb*+v#Q9o~oPr>e?I
z8Z1`0dd?h~?vipoB(eyEaRp09n04)L&?*Q8gL>Dijy=)K(alB|aAhN$h@6qGuCC}K
z5?7;cN6~YMuU>s8s64bmK|!D#AFAms;qstn!H$-Nr~aqx@`UP*Vmq?P)VtSu`ufD6
z3eY73bqf#XBCtNA<+h!Nw=89mkAisW?YOwP-Mzi1nfqqZx;fhqLNEnV(2X0WrbWfY
zM$|E%Ku_1s7+>Pk#j8Jg`EnM7hbtvlgo$<2fUVBIDW<}v7@nr0@}+vq0ITkx2IgEL
z^f%G<>+bgUnTy}qA9L~W=;Y`+s1Yuo7jo(agXL67RC-?C_pYw%BUSDsSPTCY%;>^`
zl=q@3jY3qo0FDv;2%|-xdgtxV$h5TyTmY*D<^*>Sw1~>8s^Z8hq?Wc^S_D4_53Z0P
z+Er96$G8*~kWyeRXw$Q@V18H21^D~X;g|w;=$#%9*1uZ$@6R!D!(a%kE*R7m67DW1
zA|@s#BI@5s6ZAr+qULE=jzRIzxA`)nzYlxQe_%LCFFTKtN5=+v(=0D97nDCnKiDJu
z$a0jKl2Q+t^PM6M@D&S~dHg;zV1WYs>wO*$Gols&oGxM~2&5$+Kfn06IPN_mb~d)Z
zkNPz<eEW9oW4V$;^bI^1o>$Kg^z|9!L@~vwHd%JVg=2?@hd>`OSF$0?H_Dh3LA~b7
zoZMW$h0?xf-L}deNH{ptP@NgBo!#SDk^sgo){PHD`FRwfvNQNn@!Pj=^Od5{@ZN-|
z_t)bP1(~`4zYs0RW-P+U8--!<Jif973?@ypLmYDkB=>uu{g-4oFP3|(%yEn);n1;u
zEPQ<5%bIB;!o%yyi%EsxrnO8*-uLHJH8eJtmqB!#1T8|jhP9ct@G#R8l(Z@Y$j!Pm
zXQcc@X8ZN4!l2L^I1Qmw6xRuN{dnw!!C>5urg=|;EpnUG&@w$j03V<YlJs|3FRwDa
zo^l1+`ho(XBzkZgP6&SmpZ0Onmb~B13snehFfkyLr7k)TjCoUR!W5OQI-Q3vY7}j3
zemlLdvHQ48dg4UkJUInV{je<AFP-=2ppvZAM-;66P4fH98*btC-v_a-ihBDNS>S>r
z8=b_z@8G}{Z|LcXBP@g!Kg=db)&naFXERa-_CBY>Hv_b^w6!G9pqM;l=GEIP(j#e)
z`k`V!H4e&q?(ZFa3_fl&3XMs?;esGsGCLh};oOJ1y1FSo<3s&HsRS+LZ<#G;s2|=@
zx^et?SY;`ihnKhT-PHW{%ESOV7TWzmD7qi%4-wK(Q_H(5oxN}k14VF9IyAv$0WFh(
zUgZ9nX6&I5u$5a(7i8<NVJMEpyHUf2>nDEs8cop*%5A>038G_hex8ro;!Z<6B~Se#
zO8Vl(i~RigDJi&0ZFVd0i70DGCV(fWd1?*n<Ld4n6uk2pDYT*Z9g`1-#yavAHTb&^
zTYmgV0=4|AXvIB2!vYJav3>XM9h>cVV??PlI^4MaPMcJ@@0wk9V?)DL8!QDyEVwu*
zC^`|<F*TL+U9~yR1k><{xvjXUXm!9o8OtjnA)%Te36k|ZCBQQVM9&6P#)2~EIoquw
zFX*_@d?bLsqyTDKM$1xf{$RE5+O{`gXlKDt_8$wOeLw=`43C|nm}P2#*BWNnw<Q4~
z+wZG8Y<dFUKamCh+#`J15KH5H557_$W4N@vy}b@9Iiv@NHO&`7mP3`EBLQns*|OnE
zh%4TUHXTrxA<l9L9R$MvCOA7g8)}>)-$*Y<jK)MnK%M0y@V#@cXXRN+UXX)RFa^3E
zc=+v5D0CLSQgKayFS+>cfLTsM3!9JT2=XnhUSI=MXQsZyk;1oQ;-=L;lv`f;+e$ZB
z*x9W?U;*WEf4;a)<nvK5x<FFe$OFnnP!30Fhwl@h6#oKzi*uHqWom1FAZ>tcd2P)a
zy4X1NrL9e=$*lMw=1R~hsT4&P{!8!`i8VbrXbk$TpfG~=BoZ|`KmY5h3?Lb+FE3ua
zfbT>K5#W9f!W_Jk4m5swqrgJ;RB-j)VwIJOE)u>>t4G0{Id@fgyS6F?I;=71<6!2S
zo*0sDplMjJxLXYJrM<VJW=x(#MNBD3D-_a%D$+vib|e&s&eLzgU-+7a;d^k+Y5hQH
z6biW<*hhZ^EsuT#W7}x=;SnVm@}1c|GU&o{N8E7m(Z&{l<`@ORpYs}G%XaT(={<sS
sZ?}^%Ov)hMfLr;mPx4qB%XZAwgAGH^mMs{=*Ov$t1r7Okau)ah7Z<vabN~PV

literal 0
HcmV?d00001


From e82aaefae0f319bd8e0e072597cc135e9068161c Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Fri, 24 Feb 2023 12:04:45 -0600
Subject: [PATCH 02/14] Update CRDs

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/14_tinkerbell_crd_refactor/proposal.md | 215 +++++++++++-------
 1 file changed, 129 insertions(+), 86 deletions(-)

diff --git a/design/14_tinkerbell_crd_refactor/proposal.md b/design/14_tinkerbell_crd_refactor/proposal.md
index 0f0ddbb..5f58ae9 100644
--- a/design/14_tinkerbell_crd_refactor/proposal.md
+++ b/design/14_tinkerbell_crd_refactor/proposal.md
@@ -82,90 +82,112 @@ The new set of CRDs will be defined as part of a `v1alpha2` API.
 ```go
 // Hardware is a logical representation of a machine that can execute Workflows.
 type Hardware struct {
-	HardwareSpec
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	HardwareSpec `json:"spec,omitempty"`
 }
 
 type HardwareSpec struct {
 	// NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface.
 	// It is necessary to specify at least one NetworkInterface.
-	NetworkInterfaces NetworkInterfaces
+	//+kubebuilder:validation:MinItems=1
+	NetworkInterfaces NetworkInterfaces `json:"networkInterfaces,omitempty"`
 
-	// IPXE provides iPXE script override fields.
-	// Optional.
-	IPXE IPXE
+	// IPXE provides iPXE script override fields. This is useful for debugging or netboot
+	// customization.
+	//+optional.
+	IPXE IPXE `json:"ipxe,omitempty"`
 
 	// OSIE describes the Operating System Installation Environment to be netbooted.
-	OSIE OSIE
+	OSIE OSIE `json:"osie,omitempty"`
 
 	// Instance describes instance specific data that is generally unused by Tinkerbell core.
-	Instance Instance
+	//+optional
+	Instance Instance `json:"instance,omitempty"`
 
 	// StorageDevices is a list of storage devices that will be available in the OSIE.
-	// Optional.
-	StorageDevices []StorageDevice
+	//+optional.
+	StorageDevices []StorageDevice `json:"storageDevices,omitempty"`
 
 	// BMCRef references a Rufio Machine object. It exists in the current API and will not be changed
 	// with this proposal.
-	BMCRef LocalObjectReference
+	//+optional.
+	BMCRef LocalObjectReference `json:"bmcRef,omitempty"`
 }
 
 // NetworkInterface is the desired configuration for a particular network interface.
 type NetworkInterface struct {
 	// DHCP is the basic network information for serving DHCP requests.
-	DHCP DHCP
+	DHCP DHCP `json:"dhcp,omitempty"`
 
 	// DisableDHCP disables DHCP for this interface. Implies DisableNetboot.
-	// Default false.
-	DisableDHCP bool
+	//+kubebuilder:default=false
+	DisableDHCP bool `json:"disableDhcp,omitempty"`
 
 	// DisableNetboot disables netbooting for this interface. The interface will still receive
 	// network information speified on by DHCP.
-	// Default false.
-	DisableNetboot bool
+	//+kubebuilder:default=false
+	DisableNetboot bool `json:"disableNetboot,omitempty"`
 }
 
 // DHCP describes basic network configuration to be served in DHCP offers.
 type DHCP struct {
-	IP      string
-	Netmask string
-
-	// Optional.
-	Gateway string
-
-	// Optional.
-	Hostname string
-
-	// Optional.
-	VLANID int
-
-	// Optional.
-	Nameservers []string
-
-	// Optional.
-	Timeservers []string
-
-	// Defaults to max allowed DHCP lease time.
-	LeaseTime int32
+	// IP is an IPv4 address.
+	//+kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
+	IP      string `json:"ip,omitempty"`
+
+	// Netmask is an IPv4 netmask.
+	//+kubebuilder+validation:Pattern="^(255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)"
+	Netmask string `json:"netmask,omitempty"`
+
+	// Gateway is the default gateway.
+	//+kubebuilder:validation:Pattern=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}
+	//+optional
+	Gateway string `json:"gateway,omitempty"`
+
+	//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$"
+	//+optional
+	Hostname string `json:"hostname,omitempty"`
+
+	// VLANID is a VLAN ID between 0 and 4096.
+	//+kubebuilder:validation:Pattern="^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$"
+	//+optional
+	VLANID string `json:"vlanId,omitempty"`
+
+	//+optional
+	Nameservers []Nameserver `json:"nameservers,omitempty"`
+
+	//+optional
+	Timeservers []Timeserver `json:"timeservers,omitempty"`
+
+	// 24h default
+	//+kubebuilder:default=86400
+	//+kubebuilder:validation:Minimum=0
+	LeaseTime int32 `json:"leaseTime"`
 }
 
 // OSIE describes an OSIE to be used with a Hardware. The environment data
 // is dependent on the OSIE being used and should be updated with the OSIE reference object.
 type Netboot struct {
 	// OSIERef is a reference to an OSIE object.
-	OSIERef LocalObjectReference
+	OSIERef LocalObjectReference `json:"osieRef,omitempty"`
 
 	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
 	// space.
-	// Optional.
-	KernelParams []KernelParam
+	//+optional
+	KernelParams []string `json:"kernelParams,omitempty"`
 }
 
+// IPXE describes overrides for IPXE scripts. At least 1 of Inline or URL must be specified.
 type IPXE struct {
 	// Inline is an inline iPXE script that will be served as specified on this property.
-	Inline *string
+	//+optional
+	Inline *string `json:"inline,omitempty"`
 
 	// URL is a URL to an hosted iPXE script.
-	URL *string
+	//+optional
+	URL *string `json:"url,omitempty"`
 }
 
 // Instance describes instance specific data. Instance specific data is typically dependent on the
@@ -173,23 +195,33 @@ type IPXE struct {
 // service such as Tinkerbell's Hegel. The core Tinkerbell stack does not leverage this data.
 type Instance struct {
 	// Userdata is data with a structure understood by the producer and consumer of the data.
-	Userdata string
+	//+optional
+	Userdata string `json:"userdata,omitempty"`
 
 	// Vendordata is data with a structure understood by the producer and consumer of the data.
-	Vendordata string
+	//+optional
+	Vendordata string `json:"vendordata,omitempty"`
 }
 
 // NetworkInterfaces maps a MAC address to a NetworkInterface.
 type NetworkInterfaces map[MAC]NetworkInterface
 
 // MAC is a Media Access Control address.
+//+kubebuilder:validation:Pattern="^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$"
 type MAC string
 
+// Nameserver is an IP or hostname.
+//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+type Nameserver string
+
+// Timeserver is an IP or hostname.
+//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+type Timeserver string
+
 // StorageDevice describes a storage device path that will be present in the OSIE.
+// StorageDevices must be valid linux paths.
+//+kubebuilder:validation:Pattern="^(/[^/ ]*)+/?$"
 type StorageDevice string
-
-// KernelParam defines an atomic kernel parameter that will be passed to the OSIE.
-type KernelParam string
 ```
 
 #### `OSIE`
@@ -200,15 +232,18 @@ type KernelParam string
 // OSIE describes and Operating System Initialization Environment. It is used by Tinkerbell
 // to provision machines and should launch the Tink Worker component.
 type OSIE struct {
-	Spec OSIESpec
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec OSIESpec `json:"spec,omitempty"`
 }
 
 type OSIESpec struct {
 	// KernelURL is a URL to a kernel image.
-	KernelURL string
+	KernelURL string `json:"kernelUrl,omitempty"`
 
 	// InitrdURL is a URL to an initrd image.
-	InitrdURL string
+	InitrdURL string `json:"initrdUrl,omitempty"`
 }
 ```
 
@@ -219,53 +254,59 @@ type OSIESpec struct {
 // prior to execution where it is exposed to Hardware and user defined data. All fields within
 // TemplateSpec may contain template values. See https://pkg.go.dev/text/template for more details.
 type Template struct {
-	Spec TemplateSpec
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec TemplateSpec `json:"spec,omitempty"`
 }
 
 type TemplateSpec struct {
 	// Actions defines the set of actions to be run on a target machine. Actions are run sequentially
 	// in the order they are specified. At least 1 action must be specified. Names of actions
 	// must be unique within a Template.
-	Actions []Action
+	//kubebuilder:validation:MinItems=1
+	Actions []Action `json:"actions,omitempty"`
 
 	// Volumes to be mounted on all actions. If an action specifies the same volume it will take
 	// precedence.
-	// Optional.
-	Volumes []Volume
+	//+optional
+	Volumes []Volume `json:"volumes,omitempty"`
 
 	// Env defines environment variables to be available in all actions. If an action specifies
 	// the same environment variable it will take precedence.
-	// Optional.
-	Env map[string]string
+	//+optional
+	Env map[string]string `json:"env,omitempty"`
 }
 
 // Action defines an individual action to be run on a target machine.
 type Action struct {
 	// Name is a unique name for the action.
-	Name ActionName
+	Name string `json:"name,omitempty"`
 
 	// Image is an OCI image.
-	Image string
+	Image string `json:"image,omitempty"`
 
-	// Command defines the command to use when launching the image.
-	// Optional.
-	Command string
+	// Cmd defines the command to use when launching the image.
+	//+optional
+	Cmd string `json:"cmd,omitempty"`
 
 	// Args are a set of arguments to be passed to the container on launch.
-	Args []string
+	//+optional
+	Args []string `json:"args,omitempty"`
 
 	// Env defines environment variables used when launching the container.
-	// Optional.
-	Env map[string]string
+	//+optional
+	Env map[string]string `json:"env,omitempty"`
 
-		// Volumes defines the volumes to mount into the container.
-	// Optional.
-	Volumes []Volume
+	// Volumes defines the volumes to mount into the container.
+	//+optional
+	Volumes []Volume `json:"volumes,omitempty"`
 
 	// NetworkNamespace defines the network namespace to run the container in. This enables access 
 	// to the host network namespace.
 	// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-	NetworkNamespace string
+	//+optional
+	NetworkNamespace string `json:"networkNamespace,omitempty"`
 }
 
 // Volume is a specification for mounting a volume in an action. Volumes take the form
@@ -283,8 +324,6 @@ type Action struct {
 // See https://docs.docker.com/storage/volumes/ for additional details
 type Volume string
 
-// ActionName is unique name within the context of a workflow.
-type ActionName string
 ```
 
 #### `Workflow`
@@ -293,68 +332,72 @@ type ActionName string
 // Workflow describes a set of actions to be run on a specific Hardware. Workflows execute
 // once and should be considered ephemeral.
 type Workflow struct {
-	Spec   WorkflowSpec
-	Status WorkflowStatus
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   WorkflowSpec `json:"spec,omitempty"`
+	Status WorkflowStatus `json:"status,omitempty"`
 }
 
 type WorkflowSpec struct {
 	// HardwareRef is a reference to a Hardware resource this workflow will execute on.
 	// If no namespace is specified the Workflow's namespace is assumed.
-	HardwareRef LocalObjectReference
+	HardwareRef LocalObjectReference `json:"hardwareRef,omitempty"`
 
 	// TemplateRef is a reference to a Template resource used to render workflow actions.
 	// If no namespace is specified the Workflow's namespace is assumed.
-	TemplateRef LocalObjectReference
+	TemplateRef LocalObjectReference `json:"templateRef,omitempty"`
 
 	// TemplateData is user defined data that is injected during template rendering. The data
 	// structure should be marshalable.
-	// Optional.
-	TemplateData map[string]any
+	//+optional
+	TemplateData map[string]any `json:"templateData,omitempty"`
 
 	// Timeout defines the time the workflow has to complete. The timer begins when the first action
 	// is requested. When set to 0, no timeout is applied.
-	// Default 0.
-	Timeout int32
+	//+kubebuilder:default=0
+	//+kubebuilder:validation:Minimum=0
+	Timeout time.Duration `json:"timeout,omitempty"`
 }
 
 type WorkflowStatus struct {
 	// Actions is the list of rendered actions and their status.
-	Actions RenderedActions
+	Actions RenderedActions `json:"actions,omitempty"`
 
 	// StartedAt is the time the first action was requested. Nil indicates the workflow has not
 	// started.
-	StartedAt *metav1.Time
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
 	// State describes the current state of the workflow. This fields represents a summation of
 	// action states. Specifically, if all actions succeeded, the workflow will succeed. If one
 	// action fails, the workflow fails irrespective of previous action status'.
-	State State
+	State State `json:"state,omitempty"`
 
 	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
 	// It is propogated from the failed action.
-	Reason Reason
+	Reason Reason `json:"reason,omitempty"`
 }
 
 // RenderedActions is a map of action name to RenderedAction.
-type RenderedActions map[ActionName]ActionStatus
+type RenderedActions map[string]ActionStatus
 
 // ActionStatus describes status information about an action.
 type ActionStatus struct {
 	// Rendered is the rendered action.
-	Rendered Action
+	Rendered Action `json:"rendered,omitempty"`
 
 	// StartedAt is the time the action was requested. Nil indicates the action has not started.
-	StartedAt *metav1.Time
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
 	// State describes the current state of the action.
-	State State
+	State State `json:"state,omitempty"`
 
 	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
-	Reason Reason
+	Reason Reason `json:"reason,omitempty"`
 
 	// Message is a freeform user friendly message describing the specific issue that caused the
 	// failure. It is only relevant when Result is ResultFailed.
-	Message string
+	Message string `json:"message,omitempty"`
 }
 
 // State describes the point in time state of a workflow or action.

From 84837a23a75a8f1d72ad2abc66f2ec7e1641c4f9 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Fri, 24 Feb 2023 17:17:04 -0600
Subject: [PATCH 03/14] Add rationale for not using conditions

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/14_tinkerbell_crd_refactor/proposal.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/design/14_tinkerbell_crd_refactor/proposal.md b/design/14_tinkerbell_crd_refactor/proposal.md
index 5f58ae9..673e5cf 100644
--- a/design/14_tinkerbell_crd_refactor/proposal.md
+++ b/design/14_tinkerbell_crd_refactor/proposal.md
@@ -20,6 +20,7 @@
   - [Migrating from v1alpha1 to v1alpha2](#migrating-from-v1alpha1-to-v1alpha2)
   - [Rationale](#rationale)
     - [Comparison with existing resources](#comparison-with-existing-resources)
+    - [Use of explicit `State`, `Reason` and `Message` fields vs conditions](#use-of-explicit-state-reason-and-message-fields-vs-conditions)
   - [Implementation Plan](#implementation-plan)
   - [Future Work](#future-work)
 
@@ -486,6 +487,12 @@ Reasons for failures have been introduced as a core concept, via the `Reason` fi
 
 The `Workflow` provides a `TemplateData` field that can be used to inject arbitrary data into templates. This facilitates users wanting to model variable data on `Template`s that has per-`Workflow` values.
 
+### Use of explicit `State`, `Reason` and `Message` fields vs conditions
+
+Workflows operate as a state machine (detailed in [Workflow state transition](#workflow-state-transition)). [Conditions represent observations](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties) about a resource and are not state machines in and of themeselves. Conditions should generally be complimentary to existing resource information, not replace it. Conditions in the Kubernetes API have a [well defined set of fields](https://github.com/kubernetes/community/blob/4c9ef2d/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties). Some tools such as [Cluster API](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20200506-conditions.md) break away by defining their own condition expectations.
+
+For these reasons, we think it would be more appropriate to have explicit fields to represent state and consider a separate conditions proposal that compliments the CRDs.
+
 ## Implementation Plan
 
 1. All services that have unreleased changes will be released under a new version. This provides a baseline of functional services that can be used in the Tinkerbell Helm charts.

From 9c9729ec0890e2427a80d87f7a9d3a6018d0e334 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 27 Feb 2023 07:59:42 -0600
Subject: [PATCH 04/14] Tweak dir layout and add action states

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 .../workflow_state.puml                       |  13 ---
 .../workflow_state_machine.png                | Bin 14834 -> 0 bytes
 ...md => 20230222_tinkerbell_crd_refactor.md} | 100 ++++++++++--------
 .../tinkerbell_crd_refactor/action_state.puml |  14 +++
 .../action_state_machine.png                  | Bin 0 -> 13184 bytes
 .../workflow_state.puml                       |  14 +++
 .../workflow_state_machine.png                | Bin 0 -> 16265 bytes
 7 files changed, 82 insertions(+), 59 deletions(-)
 delete mode 100644 design/14_tinkerbell_crd_refactor/workflow_state.puml
 delete mode 100644 design/14_tinkerbell_crd_refactor/workflow_state_machine.png
 rename design/{14_tinkerbell_crd_refactor/proposal.md => 20230222_tinkerbell_crd_refactor.md} (86%)
 create mode 100644 design/images/tinkerbell_crd_refactor/action_state.puml
 create mode 100644 design/images/tinkerbell_crd_refactor/action_state_machine.png
 create mode 100644 design/images/tinkerbell_crd_refactor/workflow_state.puml
 create mode 100644 design/images/tinkerbell_crd_refactor/workflow_state_machine.png

diff --git a/design/14_tinkerbell_crd_refactor/workflow_state.puml b/design/14_tinkerbell_crd_refactor/workflow_state.puml
deleted file mode 100644
index 3b8c2f5..0000000
--- a/design/14_tinkerbell_crd_refactor/workflow_state.puml
+++ /dev/null
@@ -1,13 +0,0 @@
-@startuml Workflow State Machine
-
-[*] --> Pending : Workflow reconciled
-Pending --> Running : First action requested
-Running --> Succeeded
-Running --> Failed
-Succeeded --> [*]
-Failed --> [*]
-
-Succeeded : All actions completed\nsuccessfully
-Failed : An action failed
-
-@enduml
\ No newline at end of file
diff --git a/design/14_tinkerbell_crd_refactor/workflow_state_machine.png b/design/14_tinkerbell_crd_refactor/workflow_state_machine.png
deleted file mode 100644
index 2470709d63cc8dc17030b66532a2c0b1aef03c4e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 14834
zcmd6ObyQUSyYI}%AP#~c3`j{SoeCmI3`k2$gLDZ}N{5UhB@zZGqJT6AN`tf#Vjx{2
zEg{_<_Zi>cIqRHz&RX}Zd;htAyz7-cdw=&gpXU?Lj?mIjBE!&Q5C{aBin6>80)f<r
z|CUKmaOHM*J16{)+e5+7!`ju&_m-`l2SUl##rC$Phpi2Zl`o5fhliVlprG3=OBWAM
z=UW2SuFjM~;*8LO_Dx+wkAJ(4KteM<uWme6*F*_Zgf6LX%6z9(i?4U=p8tpsa3D#f
zpj}Qm>*(#}JYUv->f}*UyzNJySH8(V_I`Lc@b&cepv>Y91wwX1e(6NUYHv23S3Jk&
zYQRkK`BZ_tk(-gMpQY%9^K`U^^67EMcE{6iwbS)Aqio}O|Ew^FH4|5!N4>t%Oc8ms
zK<7-HJZasR6`{<2W42BU!_KM^P5dIa991(}C4v;r^pKlxW0&L~^qKr3#CEkVQbtw2
zMMvvq-vG)hTOChalb(F8rb=Tf^6^_16^q#P16jYJuoWA$?BbIjUAK{n;;j@Im%OQD
zffpWMUM)IYj-3?Eq{#ijGbbnQoG27`<y~B!w(*4#8#1D{uTv(rG0O|;`z`#xvjh41
zZEWtJ_x!Y*r50kYY+3WNY0E~|cG6)oO6y7CDzV>E=_^Kr6FOz8KJip60&$sBMP63d
z=jXy}e?x4~@aGyQ-)|xf3<)IMY?T*vAFcXzUN`Fqqw-UZ4(l}F6{Wzwci?FjrlyR+
zqs(H<g}z@qm+9&wr;tM;doDmoTU+FNz6W_|@19g%SM}bI|E68={NVi3bj-o`JgH(k
zyViZ_;@<hvK9TJx3aif|7L*inXbQP(gd7PLNAd<m!m5iXyoMnqEq583otqo1@?JVC
z<u^*z#USSLy{*lDObaRh<yUQ>|K!)WA3uIbtrvLw=}Z)JElSBoq<&94N|6or>u$s&
zkKMj=$H)}g`n*lMzBI!8t+*X-VB}DH(Vlk6V(0j&vjxB40@0JFPyM@-8XM(ln6S8K
z^)H02XH)QF4PnJI*$AsO(+{^Zlx}>i<iqjc`!8{Gb9?F|dTo(9$i}jP3U}+*SiGkZ
zUKat~#^U-ZSm1RE+m~atkelQ|)aj`38x8Md;hJ~9><bKwm%63p7<BB>qaZOcu|xH6
z42vqejLb-j3~92Ie|(byngY!hdQzC;D3VriDi-EJ`)(TkSeQ2Q!9K(B<Hu=GSR70f
znt}(fg?xa4m;HV1{}-2TDI*mW6f!b0ip-?~wwJ#N*6q)}eSf&|K8VinduC3L`%rD*
z6+yum3=55Zeem&9G<=3`<BcaC-(H()O-V_4%BlHqV0HEO_i-!H3s=R&%F9RYnur}V
zM={)}@>=-y;bIvH>5R#Dnt=k#hQotBGUi&o!7^v3_LPtB>kd`X6r_D9(;GLA_NQec
zpT$V;lJrf^4-_}eCrSBBc+B7#w%K`Dq@`>1-s<Z}tLoH83f7)sWK=^_Fz6%R8UIRF
z_<CijI(V)q=;+X@x2?@}wmYZUK3kA@lsZ6f!fGR&PVU=_2C)JLSV<am!0H#y3K~Jv
z3j9r?y0kRwiRP%K;hM;|Yk#tmhd<om?0j$f;lj<%bgv$@B*~qhrA};N?i0=YMn#Q%
zedV^_;+vY9bWWzINIJBqKz}U#T3?Df!&rLr5+Wn7`S?`mXSYmA+O)*BCW=L(V|Uu$
zTx}A`{bgomW~}t4^pwp0as%)C>dsV!$i<<mtjx@Zw(rbpW+x`ry02@Bx(+i|X&V{c
z+)mMdXG(YGOnAdm-}@0-^8ia0D!yvJ4aXbkmc{1DZ_kyY=r{VUV>T9t{J%cqhH+ug
zDLEtA+G#U04yDFXC)~Xy{MKj0MgqDDEU$`8FiZNR=;XNdu%X;Vt*z?u$W;B9$g|(7
zSDG2Z$eDJhWsbP55IZcl6(5~(KROKLyRM@%zOXP<Y~Oa#{s+rLk*f;kKeGMmQR9~K
z!Hy3fJ`{??1<vJ{do0y-O6%(CT6B>V&(GiLc4$QE>*>ilYfA5&`?)aPmVC6{rOB*o
zJ(}`T<mLtFP~hGs8RKQG`G{K_#+HKW?94+$xDx9~Lk=magZ@J6#l^+HL%~lc2b~qm
zC@Cq~To{~~3iUT|aF~IWaQ`ws*p;O@VHHB(_{pT)r3p5PeUpNW-S;!C4gqVeVqvG4
zqvsgdVms|yUxrW*VTx;CJ$>>-i%NE%^V~U$v1q0%E(1mAv8cT)56#~1>OaG-XKAp8
zdCv9P+SxsvrWY3%XA|b)Qoh6AaD1cln&83eH^CQ*tQKiHKa3M*uH)xjaK~SSM@Cv-
z#T&jxx!HQpv|Fx>H&JnFG|t0`dF0O`{rLXC@8342dFDX}rG{tR?+?Vt92%ByL>lRC
zuPnf5M8(oIk-N7Qm#-rIH|G<CEI&QO^6u~NH^(r?glM0j-7*W5<+?E6k*1V9qN1Wg
z8IjHI@Xq$Ptb)8e3A)8DRTEiM#cGPL#A0!I8p!0pO*#Rk?%VE7)|bwmBWk^&8+!4=
z1tEVpnE||KF?gmcUKaZMZrN|~N4xKj<U&xEYm?8-d$SS8#3!UrGP5Qx)$WlCI1E*a
z8V|uri|kWq{JLvxZ7oWR3sp8PvWc)ueSG{pH|`QuLn$JEsHL@4fsLNl>JksnLkvrA
zD&Bu<k##hqDpg1>@se{pqM7d{am5>7U*E~;=`^`3KFby&^GyvxH_#TFaOkrW*c}vV
ze&SIle>2k1aJZzusP&xFPg9H%isUG<M2FK<MMi#m%&ruBYPC9G=fdeiPewk}A%u|Q
z<c!-p)5%eiTq?+-f7XFzsH20@M1BrI_9~v=1fsbyH9}HK3eF*KQrOUkJI7f$>Cq_D
z#_ZOIoOcd(HyU0WrEe_^ZoT#%eoXV!j`D0p?_jyBxuIdWkuF(5{Gt`{ZE5dCMjh0#
zV@-KsVM?E)nLJI9m3wY~Iy2r}4YL{wC1WUa>Ras6lsU++965WN!sHJ`HLL!X;GY%l
z6B98q0-3fKJ4_Al7<-95dGdsX`kaKgIKN>59>b!aj<BxqU7LcP;P6l?XX{muW2uYz
zjc$&w-@Y-scNHa^sbk1yQ>l}Fd7KB|orntO|C=H(EDta#C`hP~AF>fVc*q+6y7YgW
zMZy<Yhrgt0B8^8*^WeFnW@cvA*FB8THg<N+jg1B2kW6h<uU(_u>}0rd9^Lr)vvp;9
z`U3@dG)2h7?Ce7a+NBaojPkW>4f1{OZWvvL>?UnwWJKOmkJ^^s_nz%OLFGVF;08&T
z_7UAh;;sE3udlGLt_);cd#;_PSZD}82&QLdN?f^eWj`81rK&0>G6ci2DW|6wr<!rP
z6wwX~va+iMgZF2ZkT8~{ZM3(sIY$bKax=s@-|P16`>0CqrRbY9kgDgSAri|XKYskk
zhk?Y-e*XM<Eu6c%aO8bR(_dF6J{yrhB=I^c9q=MKxz74?G=%Dq(9l}fraYr!yM>>n
zuv4mhR@gKdvADBwds|DNo0|oUiq3I!|JmPJb7UCXTdEr=b?O^$iaf=5x&Em#I#%NL
z)c1rCQrf$F3+0Z9=lS{hg@j`3E^8svdtt67e!MRWd}m%4J&QOBhP#a^=;(acXS7Ro
zxC8~m(1x@rsBrD{^mIlE59NG5Em{%`X8cPAN}0^G%8Q?kO)g))v$Ior=QmZ76%YOl
z8wbbKRBIy5i4H<<hieAY6G={-7~{@Fg`4s4@T8`uo>b}>{TR%k*OjV3YHvT?^VXox
zAmEbg@cxkZ2)2t|@zL`7dY(6WeyHmCYswr%Dy_V7lnj!b@p6Gv-#ej@<m8d3n$iP+
zwGQ^S`l?X(gM+7A6YU=!qTJoxB|CHxkL}^qh$>Q26IMmI#<GE!%i_zE^PT11xgF*2
z<_&aGGf|FlSM%$ISLLrG<&z2u3XHi&m&Y2k>IYrxqW%;W713R^D}k3ma)dlm8@N|y
zXt%rmM_O7M;+i4p2y737ud^`9?ac_zq?!K03CM{rFFEsY<MQ;Z$;DiLQHXoYv?IkW
z?rn_(jVvEdobgS~LFmX}a3%;$OG^tySGeYHyhH#*ko071C^^&5Ts>Z&u~xB>S3;Jk
zcp0zx7u16!dvyR}PMkP#_UzehRUJg{r%=c5V;g<uuD>dTFV#5p2?z=bwlWe9*b7zU
zYY9)krJ5~(B9ymb(_o!%J*deh$4dw9van<zTsqUgz&L~g$3CI+iUM|StC?4NoLG^u
z{Yss)rBQ6xx(<;t?9(T?TORw{D^|kYS48fl!11->L9=)y`!9ZgbC7RRzSx^@qAck#
zL&4Vd@#7m!QGS!MfT;v~kKmoG<h!4&Qq#=*{3J3T2hUI7_|Yv>Zp)*xYC+2%j~9t+
zA$1YLzE^SM_4kg2EB@+a58}LZsn-p$G*ZXh6?C*WGM9&+_#9*H2be||fyMFVA-caX
zT)K7HZ{1;Nas%yl^CtJ~0t9+$b1XG=N|`w?+M@Dm82Rw<@c7&9Z69e;*rm4Ah)j*w
zgs8T&Hk~ZtIXlyl*12%Q91;B7%r6I4^R0e9K!DpG9wN(^wam%8GSwUMR5R$M1AGAS
z3q>*g9kLwyB)v$>(9jJrCT~v}8JS;SD8tkfFDa-!T(@ipwZyg}$WNT0ELMtU{L^2^
zu47#8QUf89hTm8j({B0=N8b0|958iRSlDr*b%_09j@=FriV1^K%SJT(s`TXL<W!Pm
z7a@MI{^8CvA(GZio12<4&d0{a;?P>iMk|caMF<bqGu2L<I+ZMb$8K+Pq2uND%4g;r
zSnK{sl$Eu0O-;?vuU}?9V<E6tscC3>D==6bnqrbGg`6<e{~4YCKJuA}66@t+Vr178
z!Qu=_|9kvSXaFKLL~i&O0p=5?Lk|8$XpgYX2>&8P@bkr93&u^n78|oYe-9idD=Vv*
zn8C-DAb=FGCzk)7tJT$2*fKnZNJxTQTwJ3Ogb<K|_oM3^lrX9d5Z4sO;!e6B?(fit
zjhAb~nJRZ4yhMm0-Su#^I_&h5P%x>wMn+%OuAyV;vvYGXWMq1V`<&;`+uGZ&{f5-Z
z1wsEgze(ncFjPW90;I+1n-G{5_zE0*c+e#z(Tw7!>F6SI$=bNFIL9Hj{vun_-1aht
zBS`tG>gtm@=_utPZZ0l7Norc!+S=OEP?i0paM0G`5bP3CT7kx<Cd=f=$VgveIJ~Ex
zJ%7&0!4Vn~64J*@PEJ0?fv9@OG-Z^A3NJl|E};1Tf(!lEPFOq#!uk*WnYxZMG&GDQ
z2B@hx4ya&rX~cCvsw6Z}NajB=nv2}^U%uo3K&q`P_FghOSGzqP3Hz~mI$p1peesDt
zN9oY<x%9I0SAqO+jS2?sd}E)Q`twITaM#1BrBQkIeDk9(@|!6q^OVsPZ?)>-IO@MQ
z<5w3nDk8!@0L()}OUn%0DC4=AV{e|(bAcPcxC`s=qe)+ixeix)I?>WT2kLdxHY9+U
zjQ#=o*U(VRSt*{=@Bf`_urfL6>FdwhrG7YN@Xj<r<fcxQBZp>Ez`{?_n<M|wk8ObO
zTXTI&z_;3^bn*|5#=@A*d?({zN2M%2efg3n{zJgdDzJ{T{_};yHU7tmh%A`pDg1nW
zorkN9_=<ry0eE_Nb3pA8cLII6Gz3ZrvnI$ir5I^5bvwIEWsf^|{2`xa{DGOQ1vXOA
z2-_#D;<fmlDZmXBuHK8kKBB_kLe#C@oqcQn;}thAZ`aTEO3yhR9i7#+HA;<!uv1E^
zdU|?ChX=_4t12a%ZOJl6K;@);mT_WKH<_37RWsy#<{?5_21g)|5laSaYw>lZt5D4!
zL94`&5p7y1hS+<49X))Ad4XDqfBpL4$CagUIb1bs5MO*!(%t!f;cQjRCymz<`G$pZ
zzl%Yxa2cw!L?!mN5?wK}{?hW!!D0>q^HbE%lACL$q7HYz@mPF+A*@4Ic4zuWIL@@I
zG`E3$lSa_&(H?82=4*+Nw~}03EpD%keue>?vG(nbRoI1`APj`SsPLpqb>03dX(nK-
zNQRs|RQdsJVrU#o6@e9Z0YM>AR)Z7uN59Dy%aRx&eE#}i{&k3UWJrFra@V+oVkymY
zh^W@CumEW&IFXd%+1Xn&9ap(n#Kq~}P9)t*M>Vbz*om^zvh^ka*WRDy;o&5KnAmtq
zBTLQQeR4-GHu}1qDF*ic_yT$?%PgwGt)s-O#Nn~Wo4uW#KQ5ENd7inrkByDVAvraZ
z<k@~sS7O?~%l}-ApyDhb;6H_3pj<+cYO^T_cjoA*s2)=mF)`W*2i5R_>})P|^n(Wv
z!q;zhW!~&Xm0S?cv~jHR<RMV2!=1LEaf|>r_Xl7Iu($16U!LzIr~?2V37pb+C*@Bx
zDZR7LgTm*}4gO*9CVF}yG=g3T?LheZ*m3gx{k68r1m(f}yu8NORBxw&l1xeZERTYw
zz*b0(p@?C1doO+aH_2_B%X2|<#mcla_En_=Nmf=Qk`FxwLjw{|!M8c=zr?D|1q{eq
zHM7hl3l-i(fJ7tS!@f%1yD-Ey>AhPGp=2On9fry5kL_;Eu`zA^womfSRC&swlc<mR
z0F-9@rAt>P2n9}OgZ5X<YW!Ghva?$n8q#D%9ptVORVFyN(01H+EH<n)ue&=Exb=Fm
z*7;Wj<<8vMoT&?=of+34M=MBQe(1IEGjR7$ma>|v>V4_h@J;}cPwrEUc+K}yUW=v|
z#Uv0YqLs~;?urdGDGemSJWTenimaR-#~}%!#e1jDO19sq&C5F}P*0SLc*#2+YGh{S
zV#9$Tn`aK%FEk@(uF^I(&P})t62OW{n!eNibMw0$KUIz;oH4pUTxM1WEuO<@UE0{g
z{U{=&wrtUXfq`$&1r3@D34azi{gde)5K<f~A<GeRAgF`z<A2Sk|7QWrBok%{k1DA>
z4_t%3qod=`pFc&ImhaymMMPLqYJ-gUEIyuXKI6HKDkeN8=Cg;2%85u2<uIRndaxY=
zW~S`avGMVt5$|qP6#*|v4FFKen0pVs9I?IBokPWuPK%)eBJ@hwx_LBd<ij0%d1>h?
zk3Sb2ySZpcfn$Vpck9~Q+lP$+CZ=?4f?gDo=H}+=^2BAM@en*78U#`TlpuwkjelT~
zW@l$NA_$0r-HxSCpHfk`*Z6x6d0P;;R`UOZtvLQywzBcRu@z=4ZuSQtcA)6b`HY@C
zd**St?^~+Aa<DbB1o{X72Y?Bqgp8aI5%l|~5YoDXO_S27r}6PLXU?=RGi4)mNXI88
z+@}qAL+1M4r%BY;u@WEv8#_Cshg^M{$;rtA#2iW&k#q0avuCjHa^gs4QL?hKl1;jZ
zj&DGT*x1;*zXJVP00J>afFqK^!orYqba`LK#!@6X@Zejtw6!U*Sli2YiBFyVmHiUZ
z#UpxA9sz+L9)%KCjU<|yZGLTDAiB-RKyss_U=Tedy6iSu59{=a8Wb7lo?NV{+iW*C
z6*tS}%Ra-^zL_(Eh&wADKr|9J=KA{1$Y|k4Y6F|rpPau&FX8}H%jhjh^_^)ArrO*F
zE8_actAB6(%Sl)`IEXR*AMRwmU;;|<J>g>0I%F2VjoDJ`&*Z{aAl))EC#R>M%NvB(
z1C&&y>)qCiiX5tNKQ<!0(n!T5;bB<fKuP0sbg)InjE;Vmm55=9Nk<Uv0C_SlyA?q~
zZNBlRYr4n49NPsFY5@cThQ@i2{W=^S2Fn%_U2DZHKM@6ZLK?BI{WRrhI{y#*C<G1$
zudJ@FUhb({s=Y=4t-2V{VoFsr9J{l%0bapMWxPMhn*xyp&}+jwu+Qb5)yZ#BJF3@_
zMUhw<8Y@i@js$6{0{6UtfBa=JT1b%Jegg$}I|@47nWnt0$b-X7CEwjWVIC3f*Bq4L
zS_t~B)o$=9=~%Bc0NsB<^)SWu;K*TUze%M>jxE-0f7@LR7}8@vui-{mx9K0RS+9nQ
zIR9L4jG!9l1@&8`sY&Gih$N=o0|dnCnwlm9hZoC6aOA(gK`g@n%N;sW4c?pC+S<O@
z*xGXK$?btyNy}%5H!1W5f}x%mY80m`3Q98}mHGjG{o9LFylgP>hpMV;#c$rcArW7p
zx}m73*p?(E9C=wyL!-GdjQK7X4G@|$`rRi-0qGkD+FBICK89Nc8yc)Z_e~Bu^aVmF
zlE_JDaP~S<R7Xq8;^W~FoZ*72a&jQSqba^|)$bD>KdzZ@;k=||0MPn{!E$d8kNy7#
zaxg;BQk~|HF>-5){kP<R&>h115M=-V0Y~_110sc2Djtaa+TYC#sq)t^)27cyO_8+a
zw+23SsiP^Jf%gFC%Jo4rUUmZ&9#7bt7jQ_5dqvm+;HQ5N;~fGyI6hW>^WVq;oX{Ct
zknJ7#dG(NyH2k@FdB2Sav;tzA+|{dCx+5Uy5ZDPPKIb0D5)iz&=ilJ$?504#^u3*f
zu*yU0=No6dp!o>74MK<Z$FT&U4E)AKCS|u|CkJ{bf`Ap~<m5=cfhI`NXf%bahlj`A
zyN5OYTPNjz!k}8|`hnv0ZS@RQdGqq{2$)t-(9(uU2?_{I`KF^<*tN~fl3u(xLqkLJ
zE)2p7pjlC;-Uo^3TcANYk9`Uuj{it*UGBRG>^hpGq2)1q46}^Ok0`4<{alNid_jOB
zUewpux3_Dpxzc(ffq+W?299xFHqalaIn5u};3z+T|FqJ!V#0Qaef~U4Cx>slnk+xi
zz@V?BL?nq6fGR^tgOrq1S63H*6$3D%0-TW%T^ppd?+@$hf<WmPomT;YikS=oXkH3>
zac<5@DrP(&AOO%x(;CQFcVgq>CdbAs_3A3$_BaX(zJ~!NF+syLC6$y%`rFT|?%zjw
zdv8@&OD3_yWlZ<J_GH=5x?f<!`1<*!D%M{FOX(?vPL$}9rGtY54u@!?hE1Ie3bQUU
zFQA*L`?{I`LMgzvBtc+&cdjvb-b&owVIo7usm48i{IOUO9lQIcx|(st^{Q;#>(^wY
z1$7kAK$hde^tAn*8!LqkK>Z~HbrHV0pBfsbzb9Bn`jg)=QaMt9yv73y$gUJ!(vdu{
ztp)owMqXC-p6wBdq4_Das;a8bCE#;cK#hWU=LH&tiA*f?3)Gau2*|;uDY>~{M@E7M
zifq4Leg#JrLhEV?%#<O#C{BcfmfU82rXwOELb4dP2%YYsl%yo^&^QmR%Z!ZFggH$o
zhL=$Az~=dSMP!pU6|^$28d5&Jdi5%=``DxC=&5ZvNJ-alxOxCq&jKIay?Zx6gpg3I
ztgK)asAc%-jPn(*g~b5zTs;EVz<BA_i`Uin-d0rfH#LR)z0Cae>sQc?BOgATpN<85
zG_$z)<2ktw^7qKnZ#tQ~)%Tf^v(_*MBoZ0GOoz2tdJr0Fykls=A@@ko=5aY8cN#0J
zs1y##prj=(yE*x=o(9?Fs=hwW&xT6}O7%*doSer)Qd-_=0YP}+L)4NrUZ)omAq0X9
zFEdRXhGpZ|$<58pDWR&<kgp5dj<f0FU!OjEc5!K`Eo|&`s=dgFk|MhQT20@#Z;>()
zb7hZod9Z{_T(6!yIqmK3T{Vlgkpx@>S!W^{B;2M{{kQHB#s1Yuko4k2^g+-#JZ0Kj
zTU$GS;yOEsZ<n?@iD0j&$;%T_*Y70?pF&GYN)pyr%a|7q88edp#CY-qsW$TKo05|5
zp&=<w&M*Z_Ny6w;C}6b}qZvOywxLmQUfJ5R4`Su1pGvrBA8loJ+`_K0ePW-A5^K?L
zj)S9UYcEa9)HF{ghx$^I1lB_E_v9o*_BBtx7?Ph_oBKhIJoWmNu0OQu8Ibu%;aZAs
z_b>&HBCgjR8h3YgR$}lQ+ghWgeP$EvdOY>H9gIijmaar4PmHm~dY@yM?X|U#y~?(>
z8NtE9+d<d#_2XBENgT**?Cl#+e1<&r^gA<YF)0Wl838R#O-<80KC0{ZGK4Wvo|!gM
z|8u&^(-b@qknSV##Sj%3$FzBVHlUu3Bk<&8j`r7pR3?i$#e2la&85J7{QOZt`1d27
zic+K*UsF?1c_ENNH|Gbsnwm1ehJx4tCO7%XlOEX|l9I1h%$I)u{(V_o{LA6=eP<$`
zdQ|mBuL;2i1<+|#3t90+GtnbAAbT{?e@Y@N@h(BEz2w=5JHbB>i`%5<Qtqi{NB}Xp
z*4zz2f2KC(){j@>d~`hZd81`(pGXD6N4>qghRd88=2E9*_ajKu`PG@O$+Vv4saM<H
z+w=a@+0@bD-jS+s^6tg7jVG%RV^+HOu7zTR%y|)gzaW8&Gsb4%_R}WMn|+Oc^5lNk
zNB847h&62;9jj@WV&ZlhimNfeqU(UY1~4vXV=930Lh|U-U6U?ka;w$PGc1IZ0KanY
zQ6d)ift0>X6G{;;yERZGbGQ;i5K&i}XzA8Gb#ac4Jn!Cs><y_)v`}5Zthxd`+Vj`q
zZvj2cY2$EfP;xexyuY!r5wZvKdC_eY2Y@>r-WQ@t<dlzxX%#RmV1fB(O+Pd0{;CVK
zORkL~0e=1_XJ%m#=ncSX211A7ws;8-WFflugYVx5L-lKc_E~rsD5u`CCKfDP@aO^-
zKTN0JrPD$rll00VD~{L?-<#L{aM0%A)Ogija`S1Cp!=`Qu#<G-v$H%rXn<2z{S0pr
z-B{lv14&SOG}P7g_Cu1MJn4LIE(6C}7jtG)ksI+GJ$U5x34n>isbdNH`ud9U@&z#|
zg&0EsQhGNs9b#Td`d*NcIRb6BD3|GK)9EP3>+h{}Tt;f0WscDSfhj81Z~Z&P00#4>
z>4(ak2Z5Cjrx0K>qohx}-)265G%)Jk<roNyYT=v0#_iryMXn#l8sGu~z^$0hpFZ0I
z;T6OUMwz?&u)v_V6PPVlt8UZ-)HY+D?SZ+*`!zDZv541(ZLDLv^{qjF9j*gd*5-4=
zIf`B?4dOG+cbN1GFN1K`wQv4<z~Vhsm!-|pDF&^2Sk+Tp7R`_7D$S#yiUR<X6@5<&
z@K}}13LxlOT3YZB{P0Ls-o_@qwy~(_g3T}t2ZoaR@SbW|i>&!B*x^~4$%l<pnjZ80
zgzX7xaNPI@^0$U3NEFt1@iiLXaZ!XW;=Mxjm=r<IvAjpvO|$~0?P^P1S#59M*YadS
zpf31M0N8wT<i$`r;CK7>1pyb`^Xum!Xs|joeEI}ok3rOtnv#<BcKh>aHHwCygE@1m
z)2AWI#lE3#^E7Po6Dmga&o$mUvv^?1fT_4W`IY%_`MA8sw|IV#n?N<GJv#K4w*X8j
zdQmubdvnnB8XZVlbjqKjNIyz~hV>ZC{NX&Ki<E@clCbq=oKuasrBj1icn4)AC8cu5
zo?OtlS5{U+v2HW%tZHou7nLp^KNbOcXJGC<t0dnkx?>Qs|0tW6yS!d3u93*ID#yTd
zucf`;3Tx%U5kkW+Il$G9e`Vi#k;RKI=jfFi`6X7p+ubh2)&?EjO+PwV3hIlR{`+h}
znHgv4H~{)=XT0H6O^U!8nOkbe`hfx16+f(gwzjJ4mLcz(>(m2*&@!qof64om1CSM)
zJEUM^laA+R#>SZADs3#J7z`NoY=l+m&qC$B>H9+Pm=1zmepOgn>`<~RhHFP47jYo2
z<n>JD$?q1ydvHk5I0L~nxp46!sJz+<vag_kLMLEyX(=Z2BkV7CS0!#IY4Y`zm5+Jl
z<y-d2fn{K=0OJabAaK236)UiZK^5}^x9pEszTg2t(gfm^tM?XsE=DFM(d305OY9Y0
zyy&`w?8ynm(^>b%%(6gB1q@s4iEi0EEI^_yvNGP?gGOEoTZf*TfAr`PLFTD};QZyw
zmlt^UMgs`DuSIU2o{w()eAXW#mF@0n_vf2yYYngIB48^rNe5JTY{jd~-2SZ$N8@on
zNQ|&$fyT&5RKYTnV=c&J#MwhT9*QiFs+8G>Nu&E!H7N#$naesTaN1K-Q%RD(I%O%^
zrM>0jz){y$S4)Tl6Mg1-^IyGU3~-!eNsRVv1Ix?IOrWYmB2Nx&7(tNdppc^n*icrI
zpCg<J9Wcncv_rb}@Xi}Vj~5Os{o7FC`MmY??*sxdxUSXw^5LH~{$j?F*`;8y&xO`Z
zm9%aU5qyeeX0%8<PLi|h+?6W~e*lIHryxw`PY|5sQ5lSzhlk|y6=0`2O=l%YNJxAp
z;|x;paF*${@cf&98%QZ<#Se<QOaK-79L1!!OOLgPl#(R~Ix~9ppzTst!er_hY_WYT
z=`MS&_wSDxAdl8$j)Du0zL_7c0)dJFyP(UpW+Q&=^Sw)bRE>scHDI!2g%|e^4i=P<
z!Ng=w4irW;gLbb!bwr_1W`P@eImLvspn`{nig$ia`Q0y|0dpn$-uSo`QCVfBm?|)V
zd(v{JFLhJ>m5kah5QtQgEx}2V{PvHll5~zBGR62j5&5j0)9`|4GvW^>*TuRUR3}_3
zCpRZ&7D&-hU1I!aS3;wk_N8?h7x8uKXDKd2+O3(0O^L$XVdm27^`MtD$-LD_lDw&d
zz6C`QLPA<Edl-wG-chIMk$=@fI3df7Nh{z?U2KzNCtgmt;_Wg-ZDAov)4C4rLov?a
z^2ala#g@OXJ(#ssXmusy%h`w%4sL6S4~}Tg2Kxt3uh9vmX_WggC61u*W@)?@Q5q6f
zMD8|QcLX+^nxzNh=N9PsAk!bNXUXIo9lhW;Jd2v`%pj$ifl?qSqsYi>v;u+#r8G?%
zj((V)cyPNL%#~>;LT<iUTDTfoj%8+!c^xnw!KtPB;qJli?=Mdarv<@&AVl%jrr1Q#
zrpltx5S}wlw2Fe;X5xcYKL4w8Pm+_F-zl5U0Ni!EXD4|k4G}m|I8!^uDJ3;DG{h7S
z$L8B-=AgVd&UjZaL%VaXgYff6%eB8?40@5F4xtY-wlbCIs_{YyIdJxhms&tb52Z3h
z2!*8n*u}*^{(G_aoZpB%_yLth_dLOTquA#)cn5P`I>mB5Mr!lSt5pzOYxY;a8LD-f
zNBxK1A+B=%fm)Do0it7>l*DYtvzvUlJCZa5V*4}t_zX!xVvt;%W;=jPj5D;dyeTX{
z4-#E>-O<3Eoz=<lw~&A7S8`la90rE6-Aza~01#O0uC>X0E^Cfv;+1${od8ONN~HMZ
z%gV>5QhDxC^hj_82DdrH1?T*o9e6+YrAzvcQetnA2{`FGWzc@2OG6B-7}|_1TjP+a
z!uJPL*0D5C<qYn0Ib>OU0h%63sC}@a@t%NqFh@=cEV9{^H2)-D!iyJNc7cI`8DdNh
zam2YR4h~SIsNmc<deL~&VpiA@WP<v36@sC9j0sYxT{>z#>NDG3DDyE4g&;jGnI`~5
zuwV1Ek+ZWOTeK5s8>$_gHN3<gjl{2Da5tE)#XozN9d#x^@hzj8lp+~cD<%N&SjFHQ
zD=uP|9LnOFH`&n`FcWcD575?j>efKJ8gt<|xKgQzo?(bl*d&t~?|i=a;H7WU6>su6
zjl@gp>1p)$U)IgL%<$mOrN%`|Ddn48yz#F$&WzN_NM>)u)qb=u`TDWjy4%ncx$F1(
z#l77HpZjx2dyE17LtSqRoq?#A3mfM=b?d*z@xDR)K_(&k*iJVM);j6p@BN*|Vyh<1
zxy<zR@E{kbsR%E5@YCGS(b3V3e;J2pev)?-vWeDe(9u><(AJQ5|L%27sf;}hr-31%
z+a{q{e5eFDCn!@;2lbJTnmRo(_@54?|9gi}PrW25m&zKN?0keHs|l0f=II$ySh6a2
zp6D~T8R;8WHLUtSQ=JT){1;g)+b~ORg1xqO2Y6f-Ml0`DK>t)tY&TWoLTGbRFaNsJ
z7NMSk<^N<t`nMBu$WD_s%Iq7J9*;Hntxofk@Zkf%Qsa|)B4W2pmw#L6&l%BpJ^Vd0
zPUA>AY0Nk1&gl3@Z3i&ApNLT#ZM(`5H(Ng@#DS9Cq%rd<FLiI<1{PjzdtoR&>$Wth
z%%Vx8(L|D^EJZ28R!J3h<a>)aR-<v!W2?Qfh)MIDTk=f%n`6;{cNM}1bBDDWgD@`{
zx(+DoPqsa5%|SHOXsmnw>(+KVdF)lmWesIzEt3I;hXndj?2ux74Xun7`RBgaCN?Hb
z4+d040z<!WX~?h^R06?Tt<-4P1kF62ZKIj@vBDwsH$vG!Z81Yuy3$;#?Te_bFAk07
zEW#Azicxd#w0=_DY#eRp(9gyjZ%A~|`sjDA$QuwIN`;`neH{ruYbD-wpyH`NLr^<q
z)U%xi=H$&sjmjn>kZ8jmhKEos7!iTd#Xpu3&PMQR*Tb0tALP7qxqgj?NR_{X<;Q4F
zV?Og*(={XfM)e!zUo6Zj$mWwDEWh(qMu>Vn5Q^m*qzc9q7^Cs<=*w{mzQL7rmn)eu
zeoF`Ldz;Q&xGmE&ZxI8mV(lqU=sC6gA@*u@JR!$<5s?qc2QsnRlxHVq4^lPMn|<Ly
z^b~`)rK+?GH3`;nd3k(1^&U{vl$nvCT{ZQ);grmSh}n09wjhxQKaA21eByZ7@qpcJ
zhGTY)gtbaxNPZ~k4DqI_J`%u7!v&#t-5wsdZ(H%#ck>w*AoM&GGkq@yYzuu--<1ES
zPwVK!TR|s}MHHpkwzz0t(w?*L|H(57GIpnhG{Lr_;uR5jh7l6=UK&=2)7m;RP9GL`
zA8!OmvHqIG8q0F!cWAA}(}fsI7HzMRlLP!;IiyojPyl+YT~d~G0U)D8XZndodGw3v
z4=jB3m3Wl_a4l}#x&@Bv0(Ai#$f0VFuwU)8w~7vgPoDc49sj2HVoR9Icp5LF^&DSl
zFLy8080ImVaRCFkYBDcY99)SII3Z0dg#Pg11DA>JZL(yPFPep1H0VQ5085Ve@6g1=
zL|s?fy6+K$Zm}jhSp3s1M{eAR8IZHtBY<7Bb*BT@JCwY9K8%I}0z60z!CmwO)ekuI
zlbTuO{0g6yaY%*Wf!wDuh9WfUv2VOAGBV~DPp^}G7+YEz0r2?xinrV)64us#Uc)s=
zDd!cr>vi=Sl6doLea!u*9O|dlPyXRNQN<=8@UEm}T`Uqs*7W&v<n!TbS5&;9`C)CU
z?1y~gQcUY1NKW9G_Ow_%H>d|`z>-oO-9rB1@#DuG#rB%#yyklO!CR%u){cB{vuEAH
z@zv`=>`-d$Q2T6zrN#S`C!JA~U%WWVkAqt4jy%Y80HoX$Yg0#QO^qmX8QNVaA8|C}
z+70~$A-Ub#`OD_#SoLQMgxzATcqmkDP$aLYn5uGn@t61&U4)|=3>Q=T)m^xvvJ$qP
z@Tk)pJk+nH`Py*`v&_=!XsY=;Nu<6>AHBxdqXyc?K(u>fEUF$f8k?|z>u0l<z!{hV
z>!z@LyAF6IU~iCLpZNtE=<7qJM<<(%7ndw@T=Rxf%-PB7`WekZZf<TWDiJz@i@CWx
z=H_6NP1A4dy%NcGk02B?gU@mD%w*3IRF7qiZXdsQ?;a?MkB*e|5Fm>|<;`dH;Kyl?
zrjMWkD`;<U<k^7_qXFMb#AQQbUnwpGq4<r1g9BtGF|p^`x+Zz)r}!5436+_pjy-?6
zvf=`bCX6>$SFQH@vQR`=EEa;sjk>#mXM|sZv<oD>L>aOw6qyYb*+v#Q9o~oPr>e?I
z8Z1`0dd?h~?vipoB(eyEaRp09n04)L&?*Q8gL>Dijy=)K(alB|aAhN$h@6qGuCC}K
z5?7;cN6~YMuU>s8s64bmK|!D#AFAms;qstn!H$-Nr~aqx@`UP*Vmq?P)VtSu`ufD6
z3eY73bqf#XBCtNA<+h!Nw=89mkAisW?YOwP-Mzi1nfqqZx;fhqLNEnV(2X0WrbWfY
zM$|E%Ku_1s7+>Pk#j8Jg`EnM7hbtvlgo$<2fUVBIDW<}v7@nr0@}+vq0ITkx2IgEL
z^f%G<>+bgUnTy}qA9L~W=;Y`+s1Yuo7jo(agXL67RC-?C_pYw%BUSDsSPTCY%;>^`
zl=q@3jY3qo0FDv;2%|-xdgtxV$h5TyTmY*D<^*>Sw1~>8s^Z8hq?Wc^S_D4_53Z0P
z+Er96$G8*~kWyeRXw$Q@V18H21^D~X;g|w;=$#%9*1uZ$@6R!D!(a%kE*R7m67DW1
zA|@s#BI@5s6ZAr+qULE=jzRIzxA`)nzYlxQe_%LCFFTKtN5=+v(=0D97nDCnKiDJu
z$a0jKl2Q+t^PM6M@D&S~dHg;zV1WYs>wO*$Gols&oGxM~2&5$+Kfn06IPN_mb~d)Z
zkNPz<eEW9oW4V$;^bI^1o>$Kg^z|9!L@~vwHd%JVg=2?@hd>`OSF$0?H_Dh3LA~b7
zoZMW$h0?xf-L}deNH{ptP@NgBo!#SDk^sgo){PHD`FRwfvNQNn@!Pj=^Od5{@ZN-|
z_t)bP1(~`4zYs0RW-P+U8--!<Jif973?@ypLmYDkB=>uu{g-4oFP3|(%yEn);n1;u
zEPQ<5%bIB;!o%yyi%EsxrnO8*-uLHJH8eJtmqB!#1T8|jhP9ct@G#R8l(Z@Y$j!Pm
zXQcc@X8ZN4!l2L^I1Qmw6xRuN{dnw!!C>5urg=|;EpnUG&@w$j03V<YlJs|3FRwDa
zo^l1+`ho(XBzkZgP6&SmpZ0Onmb~B13snehFfkyLr7k)TjCoUR!W5OQI-Q3vY7}j3
zemlLdvHQ48dg4UkJUInV{je<AFP-=2ppvZAM-;66P4fH98*btC-v_a-ihBDNS>S>r
z8=b_z@8G}{Z|LcXBP@g!Kg=db)&naFXERa-_CBY>Hv_b^w6!G9pqM;l=GEIP(j#e)
z`k`V!H4e&q?(ZFa3_fl&3XMs?;esGsGCLh};oOJ1y1FSo<3s&HsRS+LZ<#G;s2|=@
zx^et?SY;`ihnKhT-PHW{%ESOV7TWzmD7qi%4-wK(Q_H(5oxN}k14VF9IyAv$0WFh(
zUgZ9nX6&I5u$5a(7i8<NVJMEpyHUf2>nDEs8cop*%5A>038G_hex8ro;!Z<6B~Se#
zO8Vl(i~RigDJi&0ZFVd0i70DGCV(fWd1?*n<Ld4n6uk2pDYT*Z9g`1-#yavAHTb&^
zTYmgV0=4|AXvIB2!vYJav3>XM9h>cVV??PlI^4MaPMcJ@@0wk9V?)DL8!QDyEVwu*
zC^`|<F*TL+U9~yR1k><{xvjXUXm!9o8OtjnA)%Te36k|ZCBQQVM9&6P#)2~EIoquw
zFX*_@d?bLsqyTDKM$1xf{$RE5+O{`gXlKDt_8$wOeLw=`43C|nm}P2#*BWNnw<Q4~
z+wZG8Y<dFUKamCh+#`J15KH5H557_$W4N@vy}b@9Iiv@NHO&`7mP3`EBLQns*|OnE
zh%4TUHXTrxA<l9L9R$MvCOA7g8)}>)-$*Y<jK)MnK%M0y@V#@cXXRN+UXX)RFa^3E
zc=+v5D0CLSQgKayFS+>cfLTsM3!9JT2=XnhUSI=MXQsZyk;1oQ;-=L;lv`f;+e$ZB
z*x9W?U;*WEf4;a)<nvK5x<FFe$OFnnP!30Fhwl@h6#oKzi*uHqWom1FAZ>tcd2P)a
zy4X1NrL9e=$*lMw=1R~hsT4&P{!8!`i8VbrXbk$TpfG~=BoZ|`KmY5h3?Lb+FE3ua
zfbT>K5#W9f!W_Jk4m5swqrgJ;RB-j)VwIJOE)u>>t4G0{Id@fgyS6F?I;=71<6!2S
zo*0sDplMjJxLXYJrM<VJW=x(#MNBD3D-_a%D$+vib|e&s&eLzgU-+7a;d^k+Y5hQH
z6biW<*hhZ^EsuT#W7}x=;SnVm@}1c|GU&o{N8E7m(Z&{l<`@ORpYs}G%XaT(={<sS
sZ?}^%Ov)hMfLr;mPx4qB%XZAwgAGH^mMs{=*Ov$t1r7Okau)ah7Z<vabN~PV

diff --git a/design/14_tinkerbell_crd_refactor/proposal.md b/design/20230222_tinkerbell_crd_refactor.md
similarity index 86%
rename from design/14_tinkerbell_crd_refactor/proposal.md
rename to design/20230222_tinkerbell_crd_refactor.md
index 673e5cf..aa0e631 100644
--- a/design/14_tinkerbell_crd_refactor/proposal.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -76,7 +76,7 @@ Users resort to Q&A in the Tinkerbell Slack to determine what fields are require
 
 ### Custom Resource Definitions
 
-The new set of CRDs will be defined as part of a `v1alpha2` API.
+The CRDs will be developed under a `v1alpha2` API version.
 
 #### `Hardware`
 
@@ -91,7 +91,6 @@ type Hardware struct {
 
 type HardwareSpec struct {
 	// NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface.
-	// It is necessary to specify at least one NetworkInterface.
 	//+kubebuilder:validation:MinItems=1
 	NetworkInterfaces NetworkInterfaces `json:"networkInterfaces,omitempty"`
 
@@ -142,12 +141,12 @@ type DHCP struct {
 	//+kubebuilder+validation:Pattern="^(255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)"
 	Netmask string `json:"netmask,omitempty"`
 
-	// Gateway is the default gateway.
-	//+kubebuilder:validation:Pattern=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}
+	// Gateway is the default gateway address.
+	//+kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
 	//+optional
 	Gateway string `json:"gateway,omitempty"`
 
-	//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$"
+	//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9]"[A-Za-z0-9\-]*[A-Za-z0-9])$"
 	//+optional
 	Hostname string `json:"hostname,omitempty"`
 
@@ -180,13 +179,13 @@ type Netboot struct {
 	KernelParams []string `json:"kernelParams,omitempty"`
 }
 
-// IPXE describes overrides for IPXE scripts. At least 1 of Inline or URL must be specified.
+// IPXE describes overrides for IPXE scripts. At least 1 option must be specified.
 type IPXE struct {
-	// Inline is an inline iPXE script that will be served as specified on this property.
+	// Content is an inline iPXE script.
 	//+optional
-	Inline *string `json:"inline,omitempty"`
+	Content *string `json:"inline,omitempty"`
 
-	// URL is a URL to an hosted iPXE script.
+	// URL is a URL to a hosted iPXE script.
 	//+optional
 	URL *string `json:"url,omitempty"`
 }
@@ -227,10 +226,10 @@ type StorageDevice string
 
 #### `OSIE`
 
-`OSIE` is a new CRD. It exists to ensure OSIE URLs can be re-used and easily updated across `Hardware` instances.
+`OSIE` is a new CRD. It enables re-use of OSIE URLs across `Hardware` instances.
 
 ```go
-// OSIE describes and Operating System Initialization Environment. It is used by Tinkerbell
+// OSIE describes an Operating System Installation Environment. It is used by Tinkerbell
 // to provision machines and should launch the Tink Worker component.
 type OSIE struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -362,25 +361,27 @@ type WorkflowSpec struct {
 }
 
 type WorkflowStatus struct {
-	// Actions is the list of rendered actions and their status.
-	Actions RenderedActions `json:"actions,omitempty"`
+	// Actions is the map of rendered actions and their status'.
+	Actions map[string]ActionStatus `json:"actions,omitempty"`
 
 	// StartedAt is the time the first action was requested. Nil indicates the workflow has not
 	// started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
-	// State describes the current state of the workflow. This fields represents a summation of
-	// action states. Specifically, if all actions succeeded, the workflow will succeed. If one
-	// action fails, the workflow fails irrespective of previous action status'.
-	State State `json:"state,omitempty"`
+	// State describes the current state of the workflow. For the workflow to enter the 
+	// WorkflowStateSucceeded state all actions must be in ActionStateSucceeded. The Workflow will
+	// enter a WorkflowStateFailed if 1 or more Actions fails.
+	State WorkflowState `json:"state,omitempty"`
 
-	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
-	// It is propogated from the failed action.
-	Reason Reason `json:"reason,omitempty"`
-}
+	// Reason is a short CamelCase word or phrase describing why the Workflow entered
+	// WorkflowStateFailed. It is not relevant when the State field is not WorkflowStateFailed.
+	Reason string `json:"reason,omitempty"`
 
-// RenderedActions is a map of action name to RenderedAction.
-type RenderedActions map[string]ActionStatus
+	// Message is a free-form user friendly message describing why the Workflow entered the
+	// WorkflowStateFailed state. Typically, this is an elaboration on the Reason. It is not
+	// relevant when the State field is not WorkflowStateFailed.
+	Message string `json:"message,omitempty"`
+}
 
 // ActionStatus describes status information about an action.
 type ActionStatus struct {
@@ -391,49 +392,54 @@ type ActionStatus struct {
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
 	// State describes the current state of the action.
-	State State `json:"state,omitempty"`
+	State ActionState `json:"state,omitempty"`
 
-	// Reason describes the reason for failure. It is only relevant when Result is ResultFailed.
-	Reason Reason `json:"reason,omitempty"`
+	// Reason is a short CamelCase word or phrase describing why the Action entered
+	// ActionStateFailed. It is not relevant when the State field is not ActionStateFailed. 
+	Reason string `json:"reason,omitempty"`
 
-	// Message is a freeform user friendly message describing the specific issue that caused the
-	// failure. It is only relevant when Result is ResultFailed.
+	// Message is a free-form user friendly message describing why the Action entered the
+	// ActionStateFailed state. Typically, this is an elaboration on the Reason. It is not
+	// relevant when the State field is not ActionStateFailed.
 	Message string `json:"message,omitempty"`
 }
 
-// State describes the point in time state of a workflow or action.
-type State string
+// State describes the point in time state of a Workflow.
+type WorkflowState string
 
 const (
-	StatePending   State = "Pending"
-	StateRunning   State = "Running"
-	StateSucceeded State = "Succeeded"
-	StateFailed    State = "Failed"
+	WorkflowStatePending   WorkflowState = "Pending"
+	WorkflowStateRunning   WorkflowState = "Running"
+	WorkflowStateSucceeded WorkflowState = "Succeeded"
+	WorkflowStateFailed    WorkflowState = "Failed"
 )
 
-// Reason is a one-word TitleCase string indicating why a failure occurred. It is not restricted
-// to the values defined with this API.
-type Reason string
+// ActionState describes a point in time state of an Action.
+type ActionState string
 
 const (
-	ReasonUnknown Reason = "Unknown"
-	ReasonTimeout Reason = "Timeout"
+	ActionStatePending      ActionState = "Pending"
+	ActionStateRunning      ActionState = "Running"
+	ActionStateSucceeded    ActionState = "Succeeded"
+	ActionStateFailed       ActionState = "Failed"
 )
 ```
 
-### Workflow state transition
+### Workflow state machine
+
+![Workflow state machine](https://raw.githubusercontent.com/tinkerbell/roadmap/latest/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
 
-![Workflow state transitions](https://raw.githubusercontent.com/tinkerbell/roadmap/b7b2362997c01ffa52758e10259b8f55e81f7447/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
+### Action state machine
 
-Actions follow a similar state transition model.
+![Action state machine](https://raw.githubusercontent.com/tinkerbell/roadmap/latest/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
 
-### Webhooks
+### Resource validation
 
-We will introduce a set of basic webhooks for validating each CRD. The webhooks will only validate the `v1alpha2` API version. They will be implemented as part of the `tink-controller` component.
+Each CRD will leverage [CEL](https://kubernetes.io/blog/2022/09/23/crd-validation-rules-beta/) for all validations supported by CEL. For validations such as ensuring MAC address uniqueness on `Hardware` resources a webhook will be used. The webhook will be served from the `tink-controller` component.
 
 ### Data and functions available during template rendering
 
-Templates will have access to a subset of `Hardware` data when they are rendered. Injecting `Hardware` data was outlined in a [previous proposal](https://github.com/tinkerbell/proposals/tree/e24b19a628c6b1ecaafd566667155ca5d6fd6f70/proposals/0028). The existing implementation only injects disk that will, based on this proposal, be sources from the `.Hardware.StorageDevices` list.
+Templates will have access to a subset of `Hardware` data when they are rendered. Injecting `Hardware` data was outlined in a [previous proposal](https://github.com/tinkerbell/proposals/tree/e24b19a628c6b1ecaafd566667155ca5d6fd6f70/proposals/0028). The existing implementation only injects disk that will, based on this proposal, be sourced from the `.Hardware.StorageDevices` list.
 
 The previous proposal did not outline a set of custom functions injected into templates. The custom functions are detailed in [`template_funcs.go`](https://github.com/tinkerbell/tink/blob/main/internal/workflow/template_funcs.go) and include:
 
@@ -446,11 +452,13 @@ These functions will continue to be available during template rendering.
 
 ### Hegel Changes
 
-Hegel will undergo a reduction in the endpoints it serves because the data is no longer available in the `Hardware` resource. Minimally, Hegel will serve the following endpoints:
+Hegel will undergo a reduction in the endpoints it serves because the data is no longer available on the `Hardware` resource. Minimally, Hegel will serve the following endpoints:
 
 * `/2009-04-04/meta-data/instance-id`
 * `/2009-04-04/user-data`
 
+This ensures compatability with the cloud-init that explores the API via the `instance-id` endpoint.
+
 ## Migrating from v1alpha1 to v1alpha2
 
 Given the relative immaturity of the Tinkerbell API we will not provide any migration tooling from `v1alpha1` to `v1alpha2`. Users will be required to manually convert `Hardware` and `Template` resources. `Workflow` resources are considered ephemeral and can generally be deleted.
diff --git a/design/images/tinkerbell_crd_refactor/action_state.puml b/design/images/tinkerbell_crd_refactor/action_state.puml
new file mode 100644
index 0000000..1c3e0fa
--- /dev/null
+++ b/design/images/tinkerbell_crd_refactor/action_state.puml
@@ -0,0 +1,14 @@
+@startuml action_state_machine
+
+[*] --> ActionStatePending
+ActionStatePending --> ActionStateRunning
+ActionStateRunning --> ActionStateSucceeded
+ActionStateRunning --> ActionStateFailed
+ActionStateSucceeded --> [*]
+ActionStateFailed --> [*]
+
+ActionStatePending : Action waiting to start
+ActionStateSucceeded : All actions completed\nsuccessfully
+ActionStateFailed : An action failed
+
+@enduml
\ No newline at end of file
diff --git a/design/images/tinkerbell_crd_refactor/action_state_machine.png b/design/images/tinkerbell_crd_refactor/action_state_machine.png
new file mode 100644
index 0000000000000000000000000000000000000000..a370c8c96361bc671dd90614a6b72e71252ea4ba
GIT binary patch
literal 13184
zcmdsei93}4`|mT834?57DTGw^Ewl(tgk<0MEN#|gO@t9r$dVAU?^{&%U1+gysq9Iz
z?>lks>GS#i&iP&EoIl{4uFFL;^E}V{eZTMJ^?Kd+Jk?NBq{1G<A_zjIboGiBf}r%^
zr;`i~uLP#wGJ{{dF7gI0HyrLgu)B5J1yQ_p_m-1|%dMLnmJc|rTwLx+3Jc$}v$*Tx
zYHufW!@-_b<N_<)LEc)&z~w)$BPh6y`zu`yQ}y>EI4_5{2lv<;Zjxkbz9T)flENv#
zdBj~)ZpJNEwK6)tjCsGt{%Eqp=EJqb-izW*EN@Flu7`Ko%!>Rdoop`CV1DzYX7r&f
z>!k)dU0xlAH*RDT@w$BB^E97^7%`SlfBATP2v{4EKay|E{wC6;`D-{%A%$u0-sMCN
zs+5&c>5h|~>>?Ud9>Nhtdm0~%L%tjGhQ;81>lGYzv(I`$Wtx0ZuIZbWll-h5iqtOT
z9F>RCB_$8)gf`!Z0uCkf@bo{IJq81pZ(^=5yzOXpLMaSp;&}p66doF~_uO*!9^2PB
zX`|AR*1<O`D<d5#qD$IsrJHu*?C4Ey`f8h&&A3O~`$FD~Bp1%UX0$tVwt=ne`B1Oy
zu69Pz_4aYa(y`pP)lQeQzZp~!CZ~#D{Xws8#@CB1p5R0f(FUa}mv!6+<`X=1bbjr8
ztg+3>c|h(k6%ibCr9<@03#|sO%%@7nai-2E8z-!k#c3Gi+34hzx-~iQSNy}DKjNYb
zQlg-s`uU2iDdL_*Ag<b9vc<5K(bT*1hxGiY_`5q|l$2ucHaAyEZQtE78?8y|^d6P&
ztaiv6MG(47`XB`1fiuJ)NHYAwAqW9Y(8<Zo4GIg}TwP_k<h}P&^v0C1>f&f!-P^Zx
z0f#V%sPp1T&HP~5#q;Mwx*MYfjTeS0{2o0*6V9{mM{=tl@1=`8t;#1Xtmt?dg%4Wp
ze0kpSgkYGgADZC)@{-T~%YJ<8!QN^o&p96CiEmq5n`i;Igam^;Dco7abHk1cCvxKh
zC5{b;<R`LwZ&`%A>8j+x^B@N23=Itx_zC^;C|Oi}<@Y+Dx^8T;t0qAM)(k7}qCqr}
zB84SM8Z4qkYKE0X;d?kF$cX<Tf3Jari|gv@!otpo>?b57EQ@i%)1S4pTs!0=u($rz
zEUi2l;gB_m;Y2UjS@)iHIf}+0%jd9Nj?6fu-sjDmH<vl_C<F_S`1>$076uIW|Ncv`
z8v+`36PNS)HKPWhKMVF~$t5K8Iysr3k7{mie){w&&k3+qY-Ob+cGusZL=cmnmDTHF
zZ!Z`G#yxRoZ)+Jh|KP!cS7@2tIk7lqQA-jmDHa*eN>6XfJo*;-ld;7v>B6I`A%_sX
zM@huCKi{J9arccR={+UX@#DvN7<rJZ0dsS97cX9nAAM6+*4fe``v#A~^NCAHsJ=QM
z!G~5sb#!!ylQzSlkkc|T{hpe-x_rrP&LBhUDcToJDAvgPa^ph?Cnn^$bX=w;2b?zR
zj~_qM3E|;1I1CO+zY446P0q|bERVt<PqhpTp2)(+slOJQ5$|$S>>|Nc_UqljQhPXP
z1_lNVMC1jmr_$lfnKLb|tzYVQD%|Fc)YLjA+vBN^OYt-;%A^qVmX>}ruFrn`{rfkU
z-4*f+39lD3lw*>Sdb3q(a`FntpND1Thrm?ar%owlNg^2LoxQBB!oosD|Es>MzdPB_
z-vd)0P=BFb-iyJ3{l0(yu7PZg?p`WBIQ6O4Yd5`19*gTbV_a%?S&GKj*SAkCx?_8!
z>b^RbE#opuunwc5to$yOWwV*dY_3P8@Olj^E9;2Y=J3XVQ)i;|*L=gqOlc{pp`oEG
z4k#_cln*-!Q;ffMttE<IKY!}A*N*@ug%D=PsV>e6ll`?`_4_k@yxiPb!wfXXj#a{L
zyZH%1UN$y-I1cL*TwDdSuTNp5cIV#Nc|h=|6WZg?IVZ_jDU4QDvpb4OFm&Y#8VH9S
zmktUIeGKkotBb#W{W$N~eA#H`^kA8TuvzWHdIIXt&bo1l4TFTs_cN{0f~)K6?Vmm+
zmrV60Cv)7@zP~V(qQ1Mic<JV+@MkRN+!jX?v=QUHX2GFK*I;{#uH?(b7$ftKp=^3O
zFR9sO{L$&5uETGQu*szeZ*q3_6IJbp3i9%rY_-ZULZYIgcCpsInd{TNfz?Hp%|Y9%
zzk64HcO?9@jDNr1er{CCV=X%`kKe0_m(ZWeR#G0&9L#ioejv&%Av$_;Vc~TJ#ukMo
zp!3yHa)C#@eka_2_39PR#C5NA-MH=H`=grQ-pwGQ7Vk;0SA_^wuCp7<AK81?zU1j!
zM->>C^{jzg@a{7SnS5fjwX&M(P79R5EZt3ktm-y1Ki^(s{&fhALoj$$rWO*g@a@fw
zI~}hoY`?y)y1&@drk$mxd2`^~Hx;YQ`->xK3eS3|Cc!MdmhorpQ>P)%#$^gF)gI~7
zLKYdFoSm&b;Iylai9yU$KS6~Gg%qqM-os_OeNjnC={@RIWTag0V%<S)H<m|0AbtAJ
z?xq|{1HqZ!#%Lr|JOA#ue*Jo7>nz0>#CL94p-IJauXL@P?9x#_OxIfSWxt0HAAVEh
z<>hr}A})AR6M1v<^YhoHRj-Z97RH-{?{p^qI=;Are(64)5wo*C%S1~{^eJOwW8bg7
zJEcV~(^@<Frz6{;icEZp5LYE7-bI5z9xL_WZE$e#!b6YT)?ZE@&$U^J2X6ViJxRt(
zvLN+ny@iFv+^E={4$7lv{3qAu2RFwW{AxVb$8pIO(e;cov$OgIM!#leuAwEpc3fhF
zO!I{Xj}cEy1@(TY#<MIxKct3BoCG@^6cqIM@#E6P9f;POfoY0ivc%nUFv!Zu!2w;>
zEOz?U;(Lfx%Xa)DyN^H7ig>=0r%r8eZJob(@e&lO))?W!+}yX7+J8-q?}6n*wIS}}
zZ{{Qx0S&^0L8XiJ$#9YV{e2C@28EPBaUd28_#pAGzcm9cA^t@y9sjv_nm0K=KOauM
zx~|QEmf~oT;+V+EGX^wp8FL|lish_}&E)$43c(SD<>lpuhK8X!#xuCENsE_jWF=?s
zMynpJIRPJC;sM)`f~R<_eCAd{#c|!S5^PlMj6df9x%qur+|qd|d-e=PcUDfh(5|V*
zt};it(##Ud#Z1bhCqCEH`=be$vF2%Otmp5ULy&^Q*Z3UBY<3S<-ItS<RR}w-+U^et
zn>XrOuJGEzaFt@%@t+@_85dhc?1afJcdeX^_|X{Hi|&-(d^Ne{gHBt!r{S6~n=O3d
zLaf_zn9rUcxLn<Vw1`Of>GARL+a0gA`?S@mj!U`2U5p0rNF4L!vioU%xsrwH{4LdN
zk6-iis)-p1j{^f&?_S&L<MFT-p6xH_HKhgH4WuI#CTe9mUS3{!JfXil!DY4k6@>1c
z+qZj$BNGx#H8jS?$7M60JbNbXIPSj__Q$?wWw_GS`0dTlU?N_B$@>c?1_qyG=$JDU
zS97Mu#_BU6D=4?-U$2SF^x0ch#8USAmetiA7(3KNB_=NX{3%DFqo?OIcqfqap}#$=
zz}5Rd(OLQAY>52a^3RXf@_Z^Is^qT*=+&i`+r&CG_96>i^@(2elK~$lgC(!@`%-s5
zN<E@p#?o)&+u$I@SN{qm@Ad0`R)^oai*;G<$pID3?uygh{x&D(`s<v3ACVRbq&zx4
zH>a|yBwfradAvP9Sy|cI0(+>Sk><Rtt0yI6dWGW;?S6l>`%GVs&cNehUKjOexTRk)
zW~HSWhcJX_hVU0JniM|q*njx&;jv|y4av+X>AXd!g&eN_7*11Db4an6`3{Y5N5usp
zvs#taoQmbo+(})k>hw5G2?+^s_uu_BUb}9VmM3%#Znwu}Tqq6vfwh7Yieq7txusfa
z_gz+5>xRwd!mx?9^6Yu43liYrR`iuz6rC?c(;|<MlamvlXjtc6<BLtcBSB%lz!j@<
z+t${$98G3JR=qJ`tHbX7D@uRrO{d3n#x;j4SNtm<2;g&5sael2LCFYx`qWwx!z^PE
zKKUU)-7vVXPsfJ0$T8gI+^w;k5_uG}A+r@fK0`}W+HHQIB&trXMAe4+-QDe+L=|ca
zJ%+E92j!xB;tpLwLD))1NDVEM+PaT&hfJss4)bw{h!pu8>~krEBrBl)%uY;PnZItd
z74J}+;*%q&+6!T3B5~bW#X=RcbUdX}`Y=V$Q27$?tgPqq`g#Uk=4rqFOiC$<5qj}(
z2!qQgt-ysje*M??Hk&r)2bEAmw%m_nVwl>~tHLv<y)!%`&_8?CFG)L1Tvbpw+&)xl
z&(hx3(vq8(*IRix=kOrFkIGI+P~R>VP|Iv3>tfG4j+5j)EjnZXRZ=yQ>|0in&;Er!
zyB}B_x-1hD6U9~6F~jo|tQLc$6g>mw^}M#;k&0h-sW0s<4La0iG(t>?*xFd%ZK>D(
zDSh}*in6){Ef2oOq|RGfQ1Dq5H&3yYlvMHE7i()Sl{E%lKR!HTp<oo?;Ob(vdG*fW
zU3POvVw;O??!oyzHCNa5wpg*81$@%R!muaA$k1(!!gRNXw35WqQ+n>VK9_c;xQxz-
zi@z{7?@pB;j!Q|76T5T7tMdNh^@9JlL_YJmZ*TIMxm8})tK?Sk%BelOFMmi$MJ2sX
zgU}~xNhuISRry<d6=T39JNxJCM?e;?F%F70Ha6dS!(@Zq(uE@w#>kA*n;RY#pS}Bu
zw|6DqhO3D8kb3(Q`s(|O$9eH<W#<4V0esrt-u@K*TUE4lqu~+Bw=xIzZ44l+TYx%r
z8Wr1Sy)W6!`(dWJgoVTUgabTTup&<aso5X<`xl+l!mqsoYEtieh_0dxpj|c7Ns444
z4v(JR-W<2yzCIERl30n9kS$%u=f8-F>0PgJnSP$WV8c`YvdoX=tld>*<=!?Xq`$Sq
z_N$YV(^-cRRwky+t>qgz!<`z0<@rZ1Uf|A-wH+}}=qd?*@+A4TkD=lB!n%FF_KQcc
zi0rp--;!zmzo8WWD@THoN33;7yN<p-1rL5!8|vX3K=Aq+8ufVuC<jeVS8%jAq)Elp
zlr6wZR`yXe8jNmTSz5{{4_1#5^WJk0+NiFUQbQ$qZ5&k%VHQObX~eR&mX>8Nr6FNo
zYmb^u^2O<FPQrVj0w-Te*!CA$G(v7UzMqazQ&Zz8fB?w4xs?L#YhQ#MeCO7!6oX`h
zgCQ<1?zGygs|=`2<j$QtaekI?z5kQoU}qPX^ey&_Zuwd{SA2no7-fH%5xwyt98Ii+
zy*xBPS3;MT?rGt#UL^}c1Hnu$Ese%$XlwhW0(-u~D<E(M$YOo!HsoYJe*Q4l3v{%!
zDH=R(22v3b5f|?-s9e2T?lyl+h#iN7{LV`9zIN@}K=lJ>1%(d)&inM5?~i)LL`Rnb
zfCVr&t|f~~{$c|7qVX}+=)=`#11+CBJE@Nx`4DqN1F^yYHd~v}4-VMb@yI<gcIOF@
z7qSek2OD#SCFNFDRvh5S2!_D;sij5Ib>@Xph=wV0flLFT83!^0IN4_Tc~a5=RDdyA
zITRtOsi_GTm@ThrV8ARSjziq7?Chjmro!*-Rd0<4o5oFl$@>b40RXsNrNKH_!P(h%
zv;FubZ`N&i@|dq>T5};{=KdpqmP;X=H(J23Crh2(sR3%VYC55-s|x}o?t~ekEufVO
zgV+P+8@AjFM<;r17@n<pusW%hAjuomq9;G*M@k*C_3247NwQe;ug7S@StwiuT6ic*
zykh{E=SJbf1pro6&FZ|phRPikLs=~jgp5nuzJ5K&#pTz}CSs1)(4Z-6V7z4G_{O;G
zZg&>I5O#5^E=YRTzHArW$dWJ#yh7)22!IOg%I8RKC}{B~!o9>T-uqv0o-CT4nX!4>
zI8x*Jy{<P?HBC>h&ijvEzJaLE{==QAp$g~653f|&I==abIOqz+WMyPjR8{pV0=@MG
z0AS9C0n`f6*LAw*S58*qH6^7VGIV<Qvb)1F`&&2SYCYEZyoz0C_2guFbdW_$P$yhY
zj*N`hz46>!SfA=X1aOBy&aed34A|4F!~>uG)g;~tN*#o$ZF6xnE6gA@@dx{~vB0@=
zF`1il-y7K!fC!`j+I(5fxisRrs5xi<{cUsge?$FK8W<_}CG(aSya4VX;Ysa&`u;sO
zZrm>JQQZw3zSr+C)ynd+1-oV=$s+8bix$hVzuoDxG4sV1Y+U9rn(6cB&!643X=ljk
zKyrH1%Hc8r)5;h7QJ-&$-EL#P;B->8(75afarH_#kq0X`nV6Us%mQRDbAGH%<>%vj
zTUM6k!+S(bOw8JHwARb+&2(>8Z%`bHm65SOH;jZaudvXp#3m{)Z}#~qWwj)k;S6P_
z_DOPpxr7ZJd~mi7pV;I9yUfFvbNAM!G>IsCQWO7?9!TrGAMdB8rXYfju%7Sg@89?r
z&vP(f{ttNG#*u+|?YJg^_8%|~Q2oC$@L1j6yn|2hi^DFN<wF_>Uhsbtdj138|DylD
zmlE&xf5rPxA`>p&zjg(+Si37kbh+XS9&1()9#l;IJQygk1<`@{n6Au}6iykL>ucEa
z4_4BzWxNN!N2t>gI^S}JB5)KFD;{LY`BzI6<Ha9kHhg@1baZt0Qc{rQ7zh?ETf=<p
zw{pjyKR<>!MiF1k%sd?+%h|Hk`RNmnpkVW<$7no7-<K}|fq}tu8F)uWM<=H<LP9u%
zvIGwR%*u!aNT?=XlukoKQ~(;!Z$tvi(s@w2v32R*7~ak8tPl@mtIHW$5oD0IA+51X
zd!!4u-5o0LZtyiVGb>z7gKB#A?AhzU(tvBZOaPcH4}}axPenzQlam7h-2Ko$AmD<e
zqyqfAk1H0wbLTg395MkpQkB4GwjcmTmN7|5OH)u#Ty(E1RvZwPo_8dNP*Qv3=f{8z
zFmzK5^BA}&gu)?hhf9iUs;k@9GZQvu=jRh*W1muhv?GSsbyQSTT&=as%gb|ibiDkY
z8iz>6J$`&Rs0NtxJ9hHsy7+jOk-f{PWVwjeU(vmrYA!CtNlENye8Al=^Wd<;!otBj
zHLB+3$rU5l&^&mfiQm7q=?TYvME8rNOyWQKoP!lvYnqzQPfb~o7a}ga{QO+!zV!Ex
zpSg^xKPi6pY-Lr|$L40kIojKI?)1{0FawqBG$#iK$NBT$-j7yp@9vTwK0N+~0}@Xx
zR6hp?ht@@>z|e3$v`caMO|aKF9lj`))9<2_hIIAytIEr}%uLSnAjOAlN(S271<#%P
z8WdWQoQ!PC!e`6+U2on@|H9^`qw~T<=;JRxG(KK~2j}hW-T!S?XqPtPl#dVCMVb53
zrP1Nxgkxwuk39(E=+8GlF@a(mvCQ>|{fFk>#S0fqYabqE!eNmDg3Ufi0^?Jz#yL8b
z6%~dKriZb}Z4Lne0Un;K;#ofz7ujiO2(4HQ;&)X=Wo>N@*L&mLn>U)`QO6+nL_dE{
zr?0QCyvu1mXz_<4Dk|y+og50!qsFrz929irft!FCnJ@-aGIee3$gr@m@^`ZgSb01i
z@xB7({y4C5dG_NjZlFuZAHW8?PV@6C-z-Eh$1bX=sYQREg+$QicP+!o(J`Xqn`cHw
z2IIHQqr}%F_GyadPjYi>2iG6-*@bN3_F;6?EYAMM1jS|4n2#4qX_e}NE-L#3;UOmv
zz7ogCSXo(lt)kVG_<o(z_Cn0(o2O2lq7x1TN8ux_KIV@;83>M1*=v49K_S%#E;0i5
zFf%hd`B}89jt0k3kt?kAtHk^dg+;g%4}Pz&udk~nl*zoZC?;*ng&9jD_Uzd+0PV4{
zu{_x8FRq<h2}njnAyFM;WestnF<+ng0vZPoDG%PC<5Yir(DSM)Pj7D-02DL~pnCr>
zseSmpqvJ^7;S^*U3g_6wguehsqmrsBWLkF#GRzZH?sjmkFo!k`4(HEKdl_X(aE%IZ
z5|K?<SXj80K?hQ&fhb7kdeSFeJ^*#s&Bf))AuP5?Plt~|!b&t+&zPtOovHTPJqyn)
zs`bbRt?~<61809yQgQ$gMqL&GEl|^vD?!RDH2<Wq&_P9ovIT`LGAVZ256AS?7O~U*
z$N(X!!quCFCH}()g$-ee{b}zn1x$oe4HJ`)7_<f<Kvtbw3t_>i6zEk|Rx&a&rWy>e
zWoS)LPd|lYs2>LpI*G9xETt;Y)Arj311X>6;4t4>`a!`Y6cQTR&q^C|jEpZT$cEHC
ze)xJaoI*WatcV5r3mVkUOtl0LP&l%)d3=0);%{dw5UP_m<l#fvj98IFB_$;wiCCf*
zp(ub(<YVp8ldg0Xdxmyrhv~g~ND3kr4uH@GMG0C}F2%#$`7)lPk?(hydOYSpOg(n$
z5XMCu8}PoPBNS8j?wzxm+L7EeHa`=guY0r+{rc|^>=XxxtB<Kz6rv8w%g>YeD85%X
zF@7Bj6-o=~2}~v&36OrES6~!y-}|=jcv36V&Qx01l+jo#nkQM#+R7??<q07g08MIG
z7`1A?aam~Y4R^LKJq)n5KY(x|+UJn|L#BoHgQd+MKIrM_JlVRNnW+a^)X*??a#8rv
zqel=dW)FTb<YH7}&tOCy($R0<y_-JX0{LE8SpU%M1eBHw7cPJdB;&r6Y+$AWxk<}D
z$?IU{Yu$d-P)uy>1^WSUQc}`5v4>mts%h;?(8pySmV5u%+1q>QA8y4F)+<5eIZsA0
zZ$Iuoq2-#Jp9j+0o-P8yCwx2soju7;N9XkO1C{@?t*h$l>esH(EpOr=?-$l=48R^L
zswuUQ5wcQQ)Y`w=ckz>`f3$D>P}zCujVzVe@rj8hJ`8Z^E8kdhkzD@qZDEg<l@-{E
zyiXcHb?MC^XE!&u(9lpaPd^;K3^Q;*X92)LYinf%6c|9TpJ>H(P#}}P$sT+$zy+dS
zc7A@f&q1v`n}NAGheWPwO^{N>{l!F=4`*`n^5n`+2=b4CQfX~%9qk-;`s7Ke?TN?)
zBCyrJd-wG(R^xxv^BXg|Dpb7nbG#v+Bt?}sNbAsAT3WA7Dl9K_W`i208YiApRJ63W
zy_%<2An80wiR-HE`lY6-Dxtr`HQN;OoqZ3>kzmll+x_P<^#PY+D0A5klxfP??c}2)
zrvl27SvnQ+E!~bwd*ImEhL;<{^67gm%r^oVc*cT-YdJ6iX0;}pY5xJa+7eEHzh3b!
zjMT8u(Vg*Fn*s$^>y&Jc&P@D+-3|MJEduHg>`76VGS{U@a4Oyh82hc(==H@>pHJbO
zEa&ddjnrIZB0iE6ct|xm+_eW){PIsjA!4I%&}XdzT^50*7XCt$8V_CPeSdQL$+p<W
zOemt(u{EBXZ+&<trbhqO+1gcg$-TsWIbFcm>*(kJ!vKZF;LdgQsx=p`(V=#GvO7)D
z)YR14&qRvlP0+8d1}wf`DUkEk9}70@){j8;{gs$HjR_DEcfmsh`NpaiYtzVz%gVkE
zJ*jUi8}*JK<Y4)&J^Ik&o~DSfNqKm?!(R!VH24meUc_7C$|J~b`WOVF4df)DPo<tD
z1K3JUNr_gkK1Vyt$^-IhoH5PI&svJ)T5Z{yX(W?OI9%7BX_eb_?Vy+?!)HFkkee;6
zc8)qv6Ztt?SeL0dRczhs&v0*LLMblucgSQVT5OuOV2{n_Jb7E^=g%qIMEU$KaW^*^
z%&iT%3oOA!3aDt5Kaq6D{IR%&<$z=aiQq#fP)x&H@yTPqarf3|baMr|vf}txI`VUK
zQ)8i~8hLh~t9$)Al(nhGPbWtQbjcgbc1?UeI)qa<6aLbx{ZG(7Ac@}m%d2kmu90{^
zo5rZ*B1MFZ!(ZRnTK>6My{ZQ2O;wdj_cl)l6!Q+5mCenp%!W5NK2CjC%gEoB?E3mO
zW`BKoc^k+Bu+Qfa5h)In0H>j^Q+ao|GMGs?QQ9-w(_}XOphsC4aJ=w|6XRVea;2rE
zaf=%v2J(-vMgIBpK^7k2to``&v*P07E}*pazeYypsQEPzHu0Ea=Ut|{eznFpzZd!k
z({F>1Lo+v>+=*m&>R(~0s<(|h(fx#!l*y=y$2FqPf2Ow$6lBl|{X9KZJ1#j-wuN)b
zS>1+shQ8XjJbmGXnPYE)NEpn?%`RwDYV&K2HPbuXhW3ep@@X<KfvY%4HcxA7D>z2I
zahFa>f0?D1*B@9%2}$S0Rk-!7TesHqZ7Hf(t%v_A|A$8sj=jO+%sH_@?BjvgX{$?1
zxG#-ChskL*M$lM6_o^wzK>zQ}*J~&c*rRfJ)fz7$F501HUC+ZqvV<|GU(e7mhh-zK
zS1*PfT97<rKG>;rl&5;8lC?E&d)TvQ3>pN9+mG;|?{6ic?d<K<_d!6D(0{|tMnXc;
z7AFym1JThN3i6H9WJI1(Lxu7%>AmrAtloFcJd4jO7+dr~1#|^G%7fwF-j*YFcx%hu
z)tQl8)!E+j`v1HPy9JGN-nmitpU>#I)!aQide%UwKD8&=HFM@NrEYyshBB9L)6(W<
zOep%adSct|v-(u|;7SR48XA#19jrp%?RM6ti?PNE&I53P1_hE0Jwfm!Oljo>mR~Es
zTG1C|S@mB0-6Wz9(v$}B`V4WwCb#}!Izn{Nz#yExezM(LCuB-nKJMk~<dE64!$9|p
zYOjLvA<SGI9lPTSg&k9Cy5`==i@!`wX8w?o=Jpao*HZI4dx3U6#L73}JRy^Eb1h8M
z$B$5goDXa^zMtU5SVj4r#}SMOCH-ikm}%3;)9<UUp%LzgrI`wociyjlu=*j4UHIXd
z_ZL_WA34z{#BbxxSCrnb_}E3J(fG*enSYj2eia(3xINM%tjr?j_2AhOp2MP7P&+#}
zy4ijN&K!fBw$PpS5$F=5pi%n%jU>ThDRL`-9mVy|ozgLpk&X62g3%EX%X9BKdoJ5}
z1my|>HJ=cU>)fH}l^vaud%p{OKE-ctwC>UuZD>ZB`TTK}T!H-Kz1++c7u?-HH#cXs
zSX@t3Gbw_~R*w!liCD8s072|}FaNytmy2T0v*R>0c%iNkQaN05;U&glT5l{CYhq&Z
z=?oArZnalk1E&Q?Asw7jj%Jl|50|Y0OdJppF!UPex7?36|28#mcP3o?D3khyH$0U6
zlG<Q8+w}3o+U`J-4f%`)m&qSLF3(C{yr{k8Fj`v!KXC~v(#uWs6EE(MJopXjRA%$}
zKPBI`L+)O9SsVuN9ZOSr6$FaZsZ{f1YwRIL!4EYQU2|ap_x;(2u_9&dAc+_yCjPeD
z-yHQ(w@{*R4%Te)-dp}SGwL%}0TgwkTdY$`ZaJqg&1$64%Fzrr^Sd)C3mCq7Z!NKT
z8cn0t8UhK)xD8qpvm!CMbhuO_?u^3KqXkYPu7B;r;S%xu`EvtmY({&Rz3LaEyZH0a
zxEN%oSR}iI#+pB)^`LZO@3u6VvRQ~5;4PlWRE_^u2h~5tXWF{jbMx--Lh1wR#w9OJ
ze!plHRn=PuJKNiiTx?cRhjoAEq%1d5U&^MMdZ>`csxqud1*!s>Y5GyI+b%tvoSY4K
z%+&1P&7v?xz8?(b5;!A2Lo^%f5GpIgoO0XV-MwDy_R*91@nY*ejD~4KbbdjBE=$*T
zh~9;lm0-VQwry~jDQiUrxqg&Vu*)|xc?CXVqk@5$KBMYZ!Q?%?A-k?F!Pu^^f44N(
z|2xq?ZZJPPJK6Q0R)vJW&3<)YN*;1H(rDUcLMQL*tImHPNi5S++3OLt9e0Xb8v4BY
zUYeqI-l|CwHdLijc70#thOKqdE7>Af7K$4mbBk)Bp!Lp;xhK5D>>}Kwa(3W;Ffoka
zG?M^TcDLo{3v9I7x7%x7Oa&Fq<+QxK{9OAuDf>f?d;%%;@$l!+S7>yo`xCtZ0MdL|
zv;YiS??ui}I5y)V`Rms&pf9*rV7E%+uCIS>06z4NA8*$Glvl)hoSbDa^zPXo&2497
zBO<W(oSaVFu(l88<8(>1Ga&Qw%C$-buOFfHCN`ne55+Yq(0m!X{ZHHB^IN<8WvJ>-
zRb3__yoA(HUSbcyj;Sx`_KyP0q6Krga3*rM&l%hIqcPAqCff435lt~-{~P9beqUEQ
z*7Kjmtn%SGX0O<a{&*+iFi!4w_qZfQ!TnA~SWv9b>62Z54?rjD%jS^-&_XL)DdgfU
zT^UjC)QwNPrmq_fNO)545Nc_kfvvBAt@Tl8LvHl+@wk`gmi_$_=|L<@b#`=dxj9~%
zO&heN+z|S~<r2vh;eIn)4)P<P-s?Xf9SG5BHW#jj@rc~gBHEy2Lg?eysrV8`>=>Wb
zdqeJ>9%*+`<?*L?<p{?o(WIGYd&%TslIaSDInnj~t~|BA&)FN}Pl1cs_`@L1OEVO7
z+E@}@Q-zlVIG6qPQH&C@5ib=P&x+6=GL1J#MjJ)_eedM*mA~%+91Cm8K@N$D_GK;(
zkYGjpp&7BDNI#=@J7J1KYV~v?8Bcwx0#B-?x~eKe3YxO537&NY1;a7w%E~`C26OZ2
z+g+#y+g`e-Huo18ON?R+I>_YbP~T5un0tOb=FFSwuoI<~H9zfe`Y_J?4VD8sgqA_t
zVDhJqq?uuEo%`i~`!t(I%(=*j(7Ei(%@S%?=b`(X7Q}cTT`hfYs-rK4tf5MAIJPpD
z8LilyhvX&#gRmWnO_cG9(*uRu7p<ZQECBd%@nFQ<U|E>T&1$rJ)zC}eg1UC)GxYk6
znzM_(a`!W9uaJ#M&vf*)H_@EuyN<~>t%{E3{OP2s2-8J<Xq9$A$vHuxpXQi>Wbh2R
z3;U;F$L5{n%!-yLZ;-W3%nSP6533d{seNo;fEF^XY;v7kUGzDKk2Amqps^wnAbh9u
zr7SF#;H#YX_qGp_9+|45dCW&BYo+pP_z)k)DH2&$MmZwA(qWf|exek4T65Lk$jWnL
zZo0pK<taIK>gDF6o2WjF$~6xU4`3A9+S;?YBKyI!!}il|6)D2s+*d_OZm(=ar}X!J
z4qRv}<tM}`6*HHpSr6-*dFehn*8<0xEx2JEDCdf*JhgPa9tRC6?eAKr^tb4i_zB}0
ztMSI|OwZ#?@520o^SawcJ1fQ6k%yEcvFMsxOA8VAGo#UKY*7Ss_WtO*JL(&P-HPm9
zCmRL>j(-AFSr<!glX>@B5hwHuH(wtr82>L0nMtt&;FFOe$qWUePFzHCVJnpn%n5ky
zuwHZvxhcn)e$=jdo4H!-0X?VtX7-{;F^=P&4%!SWWKcwq5G^k}d9oRzb#`XPTZ}(F
zh1d|AYCl2`!e&2P>f;u{6DJ<U{Q&?`x4)C;+uTt|F!SCH5J=4-dJG^r;GWi#pCY)3
zy742MzB#VHTdICaQ|;MzpV^4$HmABu$a%xg#hPFNuXa(b#b;Yo;B69`n7folNujYz
z?43+LONDhuUCUS;8E^kMmhd^A=y!4+`!q6qM2$v533Szy*+{Nv)QcBSwuG`ihNzrQ
z`;9`^GGMo+vy!qOoQ_~NU#AeF*S1krwBdQW#h5jd5+85;(Pz|R9m_%Vn8EhMt>m4K
zx$o~TZBNkWG#@}FgSh$n?Hf=3ZoFDMz*hk?w<niTbBd-gKGSTh_vV8S@F;ux0t1Hy
zkZr-NKmeL5ma!brRVEH*k%Vl`9Ke_egX11OjDg6=$e;~H>p3tqpzrj(NDVxELXmax
z020g&2>(xa*WE!B1T`l?;88Uj4nI`=KulD08DJ13?I$O=iu}b5JXW~5xfQQmdAR;X
zf4sKf=lJ-|GqL5f=h+I7g<mZ|tYP+u4P)ddn^N@do$<Td&yI#!0H*|KqV*)`{d-v^
zrWgPN{`YtJ5oT53&1q>|3(DHsMn>0`&GhshLnBNe6#Dk(&Yc^%%Yv`Ex4m);9_V!`
zgj9ndU#yv>o)mgtCzEh3D)9isARa8FAo3$eHda>~&*{zwS61{|q$9GZeqR%z&CSg~
z%mA%}!y=4{;dpW8Y*H|kde`t~LCKBgpceXNYK#FrNNu2cZOt1Eaz>uOkYS6i&CJXI
zm@@Y*#b+qqatDqKgMj8yMcx8f3JOh}LU>ZrA}DG&7@Df&<>Na+!4dW4i4(E&S4UjT
z%x9QEl=ZZ=RmUA*Fc^3Ve-c__<yBQb6QVh@zu55QO-$T`TXOKFrlom3d`LOHZrD<E
zo$&tsdkvfhfs7o$93^Gb=HO29a}b)Zq8_1}9tQ7jZ_9(2$m32<MJ2Cy3dgbk_%)nU
zWmVrPQBg;jqqX9>j2h2+{kr4J7m!gH<QpPlW2Yx4Z*MGz67}h#(HgE>Pa+Z$o(Zd_
zAfJ6l9GE9A6Aks;dq=4vhBJ3N?JNoA>M>B*W@h->B}JMql^oF1(>t=@QO^}pG_DpE
zibkWa{tjh<ZpFbLnW3*=^(99G;Zf}g7tcvavGM}q-!i+pwY?odc9M<`#t!rJ3l;X{
zP-6!c70X&vwgR9H4i2*L;-T4ReLND=^v6RbM<<m@ga?@lICW%lax!RT?(N&RAdPiV
z!0fC)4?jPPgw2aBk5*nGA<&(f?@?h9!N#3q{DOiE?ML6p;F?_&pl2!A#|RjK?xR@b
zdV0w9df2Tb^ck*neP!Nt6i=Wab{~vX-QCM|5BzI$az4Wv4iV>o-6xzXqK;^_tfL<X
zlVOmbDSQM_l_d_-v5B!gxN(C^2nM7E240m`HZ{C_$()XW@IP$ME7yNUij$3-P0#}c
zin%9bVXnx}0ta~|;Mq?%{ea_Xr)cHC%%8x8hR5qq4Yaf#1!JH+fiFRV=dBA%OZ%If
zPf1I&#gK!xf0Ca+_(Xe;%|Jer2n?iBfQ}srHou|i_3RA}AM%_8LkQ)Pl6sXIYS~G5
zL_sJfjfsN?aS_k|cv<;8<#Sps0&KRsh|(koFLoRP4v&TTueJ}+$obphpcA@q!SHls
z3h|<s^d4x?QQh|R9p`41qOJufLqA<i+t^rH{b#5OyO59&sJu;hbAS&xgK-Xr7LBTN
zeYQ3>T@-Ljfg@f|{p_u|ro5*=9Y!mwsVVr%q3XwBe$o)n@7UGZ**QgJb8EM#gCbpI
z1a$U%h77HoFF%tZwjAwISa&1+RSKVj+u>-~U@$n7`-2CLDasbF;^J(Y+=!EirVDp`
z0259@{2~1)>AXW|^m&YcK~epaXT<rc{^2^G0|#a@N_ZE;lK!G(f;U7lgt>cQDnl>?
z8nWMtEF7wr6`Y*jl2wWYq6t<hA09wS^7gL1mNCvZ^H2LjNGKG?5&79@_ehcvs#vmM
zc5W^N2bM8FK`$VGMoptji-Cia)A#h$sAigirdX}6F$E>%tF!iTRP1XJw>Au+t+{0E
z>RJ*QNXqmY1P{CSkWiQQrPwcdOF{qA)6?_r#l}GDtp27T27VEu+vWc>CCH|1^(O5%
zH7}(rMN%GICk)_VO!F515tux1p<!dQ=k%gSphxp)bHvjDlsbWzx6Z`++CK2~>=jFT
zG}_$!3p!#~NuVd{8W|rCHSijvxxH^oOA8Ruot+(^Zi$IYeG0_!co6pX*9(2#93v6j
z2C|<d?a4?SjbFwun`vo{FD@Rev<kyK^;BMAt>vNU9y9Dd<fZTL?zH||0bM7xff|F*
zt^m(aOO)D%dI=MZ?`m&>gImV}e@r1xxtDGwiQYJzH$$PVt1JJ7!~jyk_z$S_Yj$6Q
zd~zvp3=GX5Kf=8K0gNu)dWP;m7fbz-?}k}^N{!v5nS(fI2=7dgoD~iQZNu0S{+&EW
zOsl2~_?!o{1#>J5zwc*pA23T7v13GUcP83jZA1~LA-=<OYl>W;__MLGF%gAJP>Sq6
z!_q-8NI_B%^Wm+X9d9T`Lv^!X3)#6o#YxzHd#-~4lgMCUqQAc#(1(QCx@NqY0SdH_
zo60>#I%fF4Uj<0X?%yesUn`(UMhHeQl!=TGhb|2$wiIA%&ksL<0hDmbPe)+RF}-_}
z#TV?L$>N*1S5Z-M0L|_4uq750@yh^uf3(7*n}jhb@I?R$l{j(oKQO0>?-6{&=t(8}
thaG0!70Va#5OAP}{QFf21kr0dKwVy35LrLPqzbPhO7dz~Udx(4`X3eV#)SX?

literal 0
HcmV?d00001

diff --git a/design/images/tinkerbell_crd_refactor/workflow_state.puml b/design/images/tinkerbell_crd_refactor/workflow_state.puml
new file mode 100644
index 0000000..3717367
--- /dev/null
+++ b/design/images/tinkerbell_crd_refactor/workflow_state.puml
@@ -0,0 +1,14 @@
+@startuml workflow_state_machine
+
+[*] --> WorkflowStatePending : Workflow reconciled
+WorkflowStatePending --> WorkflowStateRunning : First action requested
+WorkflowStateRunning --> WorkflowStateSucceeded
+WorkflowStateRunning --> WorkflowStateFailed
+WorkflowStateSucceeded --> [*]
+WorkflowStateFailed --> [*]
+
+WorkflowStatePending : Workflow waiting to start
+WorkflowStateSucceeded : All actions completed\nsuccessfully
+WorkflowStateFailed : An action failed
+
+@enduml
\ No newline at end of file
diff --git a/design/images/tinkerbell_crd_refactor/workflow_state_machine.png b/design/images/tinkerbell_crd_refactor/workflow_state_machine.png
new file mode 100644
index 0000000000000000000000000000000000000000..e85b4c3f0a83815b2508fe402ba3f9008d8233f0
GIT binary patch
literal 16265
zcmd73cTkgExG$PSqZoP#pwdyg0s;z1@1RHvRXS1>klq9&(yNF9q6ku@3kWEp6r~rX
zccg<-l-{JBC*QaCKKtJL$DKKIX3lZOQ9|<Oeb;)*uRJS4^OiCx<{SorK#;1cC}<-P
zNIm$wL4<-=HW@M^;2&;xMFV#$CubiAYa4fjvh{syR||LRJ1mwyEOzeh&f@(1&JGs$
z-8~!~E?YS{QVNJMz!l8y;tbsX^K}FgF5~^m<jD_>uL3lU6UoZ~m9gemP`$asLCC!>
z`b3J;yJ?|)Z<Aw8qJCcrJ|0h8!!oak)o#D?-KWiy)xR-xZ$n3|+QbLFm;Yw@HWyP|
z_-8YJIR@#v=mNQ1jJEgn5_8es$TO``;S9g=HR9Rl+}WZP(?~+}n2tThEYo5Y(%hQq
ze>MjA$R)>WY@2R5vh^7J+<Wy<>;4V&sWT$WA3h&&hdhc8Gonp;JNR_pl)3Fx!$^<n
z$Ln+6MvPuu<V9>fJ8?&@l&nIk*vs#@9V$zaiylw!KXw0O^n&@++rSHtOrLuCE_l#|
zW{REsq;8~9#%=JMWJZ%HO3CjdMGptRyL>%Xt4|_Cpkm(e{Q8<!aOnt9rtUZF)92O$
zGOLAxX7*$CAFi!s%Cvl3t1y2NN6DY}?APlnjE@t(T1rK%w8rPRb+?^%Q4Ae9os_cU
zx_)}W>h195=S!*xgk*`Tf-KH^<adg%0k;1rtU5b!$KJc1N<mSfRZ~k%{f3ZJI(Z0F
zWOPqv0xcc3*uXTBMzNuRI53i-k%d1l>D6j*s1{|Q-L6brhF#L_-wY%L6PyEgAG&R)
zN;*7gA1{+$VU{SfEjAP?v#D7r6!9(9tCl8W)w?N4i)6(iSc5Sv!J5cm3LZR#9GaqF
z_F!)#`I^)A`ubvTjz%n#<SJeJ(qM6CYpcbSCQ_l@xb~s{-uj%R@Ak4qaAOpmS@nYi
zv?7|qQR?6{In!7s+bJ@Jq=baV=?ql3NK>tO9UiIDDVK=~_e>JLs~y{h-}G7;xBjSw
zR3L6>Y~0F~=<e?36X(I(Ju0<o){{lDD?h%|t%You-dk&C_Qhcx+EH1kaBFI2W;1KF
z`E6PjtPEfB*3zK9A#x}Yt%8R8hPx+4!oA-JE<SMvYyNvxS(XQHAhLW;0Zm~a#u%K3
zu<U;&9q@3n?h!{*?Xzdp$Lir279(~}&gO;y+N1S$enVp%qMOCCg(6|stkRh^j3gZu
zzI`6eAR3KfnbmM`a4;akA<|JqSeaY|e9=E&iDCJ_<fT#;^z7Um7K`P6xHalj>%Tp0
z`#RugFW_i{IpGeidiM9FzgtVg!^1d4o)vnm+V>g@%Va|YwdJ?|0{z3oLyc4kZmGoh
z_(}HrdelPhuC5P$R}7L2ntgQ5wjX?(a^0(m$pUHB$`@B*Kghwsk^j1e?e=?zJpJPF
zmD=N5=qKWD(W2twN57o{sO`6ZkB05LZZ8i{&!kHFj(l*6J-sW*!@|Rp@3S$lEoG!#
zS7K3*I&lJa<O`<GB<g3G!N%XE;+Yx-0dxHBuiw8V9Y=(Fg@kEOIAdz^1q?;BiPNpy
z777?nVP!fLk<1TwS^qS;{rqlm_KTCf{U}@vLUsC&-|CmsR+g3}N6pLue(?CC@j}*Z
z@i(4dj$q)pnN(ue&Bo7PZ1e5q+|Qpk1o0eelV5`L3k@F4CGhIMzt^AdGSfsxM#jp@
z`XD_cX`?G${@VR9E-IFdsrs-eYuv{lKYna|ms_E)IX>FYNqvxixAzUX<ff*aT%d~E
z+O(pEMkg7gxbWSclVMs$M)?o5+n@9AY;4po?5s>2_i9M%ww{cbc)0H<kLF@(B9}f8
zc(D0vf2Foo<F%Ad&aG@zxFHup{qPj&IRyoUU+&_3;W@pK2{lK53EP%=HelzE2^}5X
zSVg$Z*f#@uQRlSW{+Tz*FX>FZr&g!xkB@e06-ii_6~0qzNVxp`&X~o`$G5q<TJqt8
zwEth>3>7AxCRe5Y6SNfk?28G{o<9$ZCF;{R^Y33B=4Gt^J^G>4KG;x6>C`>p>67hk
zZE5e{JC0`jcnDh<EA{u+eK8)+{#>n0L8~SPQD^h6G}&nt8li4t-@9k`=$TGsF#0OI
zoSmJWX^y>q{kjgafsY2k<TFbt5&!h*(~%1Mu(0!~CSSgMDbOqWdMV1Oc6XY1tWYyZ
z<+IO*jo$&}U8B0R=dyv1aLsxfFC>1$At|NGlI^#bAtIqz8!NHqrlt&zz}<<DZk$wJ
z%R?@`Z`6sLB&4%#-$`6spud$O9>SnkY?_jo$T4nz$Hpcy;ppgSy{J!Pv9y_Ke{0aJ
zG+M6iR`#o{D}rwjjrDl4k`l+!t5;8k4|5~DJomSM(_J<e^;y5;=XbEyyhhSsR`{j4
zvQl)c(9C};K_y!BOY`CW&iVHb*C??M{XY5cd+t4s=B_jNPV|t=yfanu8Hc*jdxsYv
zKI}j?#nC4?uPuwv2D8;ONj}&-jN0AxE~WA~xu?gGinFuJ)x=wJG|{Aa(|<+h-iGqF
zOtT90ZN^jK5}lWX)G0JN{bN*{^SygKQmLXYsENquDD&pWjJsS9MTK#76URqhI4+8-
zul=_TLok}HXFDx+iT3>Ve}8b6jiSBOwU{dA_U7*m(Y4(lRUQQr$SVzPicz$!`Y*k;
zpQ31lw2INc7?t$&X!SB&SfxV4!eFP2X`Gh^E}i_miK9`n8-923T-|Q?8zht6pFe-Z
z#KdyD$j)9lN$R_Hr9%_B>kVPm*FjmHVOo@dNO(0^Xvof#Wl-b!+bHN1=_;kVod-Ic
z_ES($eRrmE9QpdeR2Xv!m2Yz^+hnovN7vQKFJ=$-8XKNHrAbSQ5QHo^H846dVi{}4
znD(f*&`^j6pA?0{Cnw*AFlpE?Ie+aw%dA4C3_h8@!f?&zZNTx7_m!xv!@pa;hg*Z$
zcY2hAPygBS{5_H)9l*q_B~qss+KO|Pa+@a^*xlQUh<*F^E#q}hVFxrllf10#7s!!P
zNBHn)`Q43fW#&VzaVK)I@M`xzV`l{&rd5l~YL6bBW};}1e9=PP{v1ore)TG?+!wX$
z*FWL$2)MO4)Xk~I{sQU4O&xUx)ry~my$dA!iy2q7w6$GhKk0QeY}U(QRsU|4dZwXN
zD!B0mY=pJ|Z6X&w4V?nID<%y^^j|MQv-)4_90p95x0tLjUHgg9hV7wPT;Sy7<zcyW
z>C%-ePZgonUDCnff=iy;EXUJOV6h={U%$%HQetI<A7^H=XP9){Wv6)(A0Hg@*5uPW
z=UhaFe@}0(W7{M2D&5*do(?Bp8f)EGXnVQ>kdYD_*S-Ekw=_>&HmQncl6=_+P0t<*
zWV&r<>eYa$$w>-k=1xm^cZH^&-u(15+dX8OS?xp1zncHNk&R96GhM?(Nr?b0w9G={
zlv}p8wx`h&n_cn-Hjgxs4T}cv?wp~apr>!iNCTLlZD2rzp8ff=j4KymnVprDRYH-A
z;LT1;W8vViu@+mQSUNH2Km5)*`KqHh>@(Kf<idpulOs?bY^<#p!adxkzJ@e3G(gNd
zj#X+E)JAI~k2}95Ups+9K_T*9qLy5hsH=AQyLp#Krd=c;AmBKPj(^>gvuUW>cW0pJ
zwul~M8tQ2OK>5I|#_xrfnAT6o=<`<{(op567QOwBsHw$VXI13nP}sD*odAd9XKJPQ
ze~5o0Ns~h#lzOjOj`w1(*bnfP2OE+F0#>rOp%<~&mx17ewH9`>hg`~%6;n^X`g^$S
zCv<2N6R~S|duC&<jZ?I1NUQ}XCnqP|Mqs+`PS<i4njp2bv|yS0JN(7$y3*hZkg&eK
zz8@S%-<wuHh=_>je~YiHtAmDW_z~qis-Uc_gQV?jOW>_=H<Lp`q*J#;-wr|1UNXAi
z@0-bBHOlkwVo^MAnzoo-!tD?DLxKVB;qZGrlPz)VnsxTY)uD6K)6-{#Y|5dt=@#gf
z*>)=F=w<n=HPT5+N?KW2m11iE2E2{$2f(oAxHM37-E+Cp{7c~epHCXv_@Vr-3~!A;
zvbow#)JVF@1bU78C<`h2Z_KOn$Pn8tyy??HjG#1S?%m5bQ1W|gSa!-|7n)sgXlSHx
zeHgjZ_-C=tt8Ki+H(v^$S%_tpzT9~A>(ShEv+<8^IRyp0HBV{qMJ1USH}9jppRgt2
zCMzQq?LU5)qy}A0gEVu)$>iKh8Go>JNm*Grcx-oVrgZ(&N{#$b)FR^7=m&n3HfB;O
z<{YD_Got<H_mp}LKn0Diva-nOfW^K%HbYfa)tRQ47;YKCu#KOcRyow1x8hCH+uaD)
z=1F@)gYWv?UoiNqJ5#^d)c^O0NTGz^t^iwaQ_~wKv2QO$md2|;SqK~-Y;>x;cb<~t
z<K*PDIxEIiL)NE*w<HTAWBj`AyHcH#bOI}b)<lYoQ#=v%US-LkjNL4$9fDf@0Kv(@
zVYwGXE|vQZrLC=9^7-N611K74s6_*0?z6#Svw)5y!O(>mw6m5L<>GH4+wU}HbMx~V
z@6EW;<{$m{x0#rjrVDa&xoU{vmhn|uh@`8IM)jej6Mh@t0AD~Uy!qhsd1CX`A*<Mm
zd;RwsBe7FcQ}5ru=P5oBGbiBx*WJ(E#pSG+>zxnxf0RU@`1iq2ot5w|DJv_RdLYqX
zU0uC)L78FPYr;QVwe(>_IOUK6Q=P1=?DPy2e29f`kxNG9LzOO8(4Q}&TRv#FPOZ<i
zLl}8_c!c1k_GX{KhT9eLUxh_5pdWl|(%#WQvqGefWc8o#cmWyeJFx|@!#oV4OdE+q
zV9hU`Jar1%JJ#ij+k6L<`gD;sKvG)&{?6e?ReybbeQWCi)bkX8CVLw{MLYxHb25eJ
z2nCn$KLSW6)Lp_?UH~FvrmB*#y0(^%G9YFtgsu3uNE3iO;oXE<{r~vf(QNh3xX}CO
z8q$Y-gM(fNyK4Y6^;DGzL2;GF8L|xEWHmsTo^yf%?}a6f0MSjrGqjC!t;>qczLM~H
z_wev<YHDibGd6bin2QC}xOw7foE#3HXpfAQ+%{MluWodOOoyFX>Mz*o*Efq0nQ70v
zj1JF}syW=gy>-VU(65H2PxIj5fTp&}Yx7F+v%>t(tk^VJbjNFHW{vs4K-3R2t4Wlg
z?^vhw@mRhtud#>EgRMQch7V1azO7F$wj4lF;KAgk?D_QBo_#4`A@^F!|7L3z=F`>0
zkK7*@vb8$e;?Kn2l#u1A<Dp?WHTt8>mOSzKWs?!WpRi-$TEf!%%R+u0P&ZBXR<8r@
z{@s&(1JY%GXNCXu2aS%mLCGg3BGcDrOBrcsf}7B(2hhUrK^eH>?(8gss=m{-u1sot
z?u8Rzt=tm7&2HuC8Nf0-hGjObosIDgl$4a2%CYyMvO}iO@)@Lg(SD7vW0(>s*>mfZ
z%qbYi3nmfL=QgOm+6M)h*?SVXOv9nup?27pMSQ1{6>Hv)sr1`(%~XnMC_Hb~{5VC*
zzbZ3xrtZ;+H9=9)p{6FKs+cDZBjtAiQ#5>wiIi7Ui`*2b1su=pw<<eks{EKCu6g@3
zvmZW*oS3-Y72p?>lx32m;HyMqWYc;x2e4e4yQx0&XC0($zccV1Z}w_b4$iTACMOLw
zH~)l9`%&%tAuQ}P6@cJhx~fl~JxfVRx$dz@sHA`$m-0P$SnE4<F?wWV2+B`hE2a+g
zbaXjM32k|;{7<Grarla3w$)#mu~O?T>;`o+#8Z*U?^K_0c#Fp{h-ph)Twh<G-I(<|
zKHRC)p>$fmzP!;XJ?Klf+RFKQQj0xMbDV<f^5uaj@q~kG4nr(|<_q+Tr_Y9~MFPbg
z;Jk2w<r}0dr*xd!#qTXGGM2%QED98gQ;n;2&a?{Y^Baf}O<L54sycFQT@9JaTQFg{
zdNLP(jP&BUZ$HMCF~ZEm^ca0o;LrKKOCAC0gCA|aox4jtCbPZ0-Sl$Pp!cKOPe@G3
zqurSvzf>LorP9~0-|l0VI#`uwAg86cu(!7-WYZzw7i+F&xh#3*O3&cnPF_yx)6N5n
zD%2kr9#)_EMKrJN+H|8zgtq_A53f?Q#u?$cKFBZ`3mXd@pG&j1k57f;=yp@g`4WUw
zq|u+@GTTNSTz)69v9Ym(qoXbj-i9;(rMG7apkFz3?$6k&!`aqnT8;jH7jo7v(ABTA
zZD4uz=*Ke`BW|dvX)1;#cdecwB`s1yCrKqdk#O6h9%L66KX(Z&c;l%B;PjDdF1!%2
zy&f{-C?ffk1-t3F%%Z4RPft%a<X3v;9F5nP1N>QHI*M}<g<?MI7mOx>HMW?UAQ$&K
zUy2lXEDe}^@>G;$W@cn$?2cFb>r}JXw0c!nBl^8?;x(snKHZr)A+mNX%QxBFf<Jk|
zvo8u>SF#R8<>c5x5m1b4E4#ARN2AfDaQ{b@BH9i)mNGqjImc<Drt)rJP*7vDR;JPv
z`(mdys_#-Gd2n7{-n8ShT}oL+WYzkDWcLN8D|f<)e628=odB2*r*qWChId7Mw;lM{
z-(#J0wi=EPeoC*cWj{BSyW;XVm!F=g<DGT;s;-}(pO#kK+o~L@o_6E8hPm3=^asbW
z0S7aHQyMM2esv+=b+xxO=;%nCqW<C-^pXf`zD7esvpiC9V`XugjQV%Ln#-3!^e#O$
zHT%Vu_V)9V56W}-gzX0$`tx;r^w)<yNCuaON>AL5xMm8iH-T3s_2$K6Uj4Ue+LGpV
zh&7jq8h;gPdiq@NWWA)_k3UoGab&lA#wuNQA-XCaoQ8zDv`9AH+`gEiro!)*K>eII
z4O(#v#a))Ap&^6D!kc0ujil-do3!bua+w6%k5%pqRDYNjJa82{y?ey#8yk(i<mn+l
z&Mv7uOHMA>IW_Li^NMgKom&hGiv3C#d8svuFr40pe?7Ql&hJQLSC!@D<g~S^d_U{^
z(piyeTr3Buw;O`#B10mPbo{1w#`M_FrK<e`@Z{}aH$R_)I+~sTmJG~ux`>LE=as07
zC2Xfr)m|R{IDnssxa6`74q)cBd)KV3t#NppC6pcIYBfUe0xvJ|PSZkfPKDQ~4ie*Z
z`e*0sTKmDv^+%|NkxIZ4mX^~QicxHAY-%@di1^g&AeBbZ&@e1}lDxvV9xc^aHe!VL
zg@l9xjt{*^Cl+xC!N`~xQexQ+0>k+4jN|`BLjI4+SKTxJrA0}i3k}Pf%$nlZl}lV<
zuL0S5_y*5AlT>sjUb+pGYX^F&4l*l|#@yC+r%RsP=df|S+PBnosKnyYqepLkCYpYi
zWO{1Kksx_$BkSEod61$s>u&H@yT^WnKh?X_QS(nCB5*gNUp$SNR?Tw&t*}h9F8B=f
zIH)mqeY!Igb6Frz`J|<ffg}=|GPJf&?hCF*2R;{wh=}ZZvQ&XxGcYhfC}uy$t^+0#
zpc1`)of$Ay;b-r)3`kvQTqR7m6A}~8*|156G6x*2f%@jC^F5wh2e{J(#!)~*hX)5t
zAW<D1?gv0+3boDmI+%c6)6tOZFTbnP=TAjNrSKB8EsM=x-8&Nj0nn!X{QX@>*oZ)S
zB4|-Pg+Q)$SEnou1*vt^-h8drND)uKuv8S`0sUmfKLY_oPh3o_dV9pa#}%-NnfDZW
zY#Q*K+}QV5Vr6M*h&9idCejNs#vq(JL2?ml8FY@(Zdm4-nHe`%SBhH%{pIDmckhrV
zPL(^3(iR;8fO`ln8{}G%4h8X3eoNESfvYMvZz>F#TY!{Wd$^sf(wnQr&T#zb#A(0_
z!tTE`>xB}Sk3m(kz%<-eQfgW%uDy&wu7w`N@rjA;0XWx8pb1V9_aNvdEri++dPP0T
z(=q7`*}Jb#wZ=59S3sq_h%R>+ey1;H_mG#z9EyiF>3hH)pnvry<kz!r(_S_X|H+yN
zYY_5jY+}N!`a2(EJ)N1~qs?5_s4c*0P0jqZ2ijR*f_4VY0vgxzbqiKmba8n11Ixh@
zsyiQ?CZzamZEV<BN(pjMeST#IXe5H!cX&Q|@!<Om<z+OGJ?|=GwTc=Y#UCE*LQ~bt
z#fOIzDUk6jg0w?{36F}ZpZDfS&PBu>6%^M{Em0oqRt6kDthOR1B^7yt;Erj*DEI8}
zYsyo0?}7{kZ*07Illw*6pA-zsd@e$Zt}Z6(%~l|qIP3h6(a}+7eh_wEY=#q`IYWs7
zLF$5DhX4Isgbzp0LycFWk2VDb1uYLBGhSb%e1QYvBKFy1NzW&+u#m4%K}XJygq-|2
zFAEo!N+HBe)o0qY=Mmf&b%v`!<N=XsCE)nHm$QY%6sWgQ8VNMD^vEe-|27C%AQIbF
z`*pcDlg3<?_&W6CM>XI9LZ{;8m5-u3jnA!dooo9NbUI*fj;{V@)?s2|;&f}oH;5KZ
zH$uCqu9nmT#eQ1kWNN>1ER!Nx%kMDehjkBb-@ZK?`*-hq%5};*Z3-!X2=ZZMitj#*
zKOp7}`R{A}0tMAz2L#~rmnSM+W<WQ33xN*0TB_fAE6Au(TizTHe$~+Ww3GEP9|<im
z72x6=09!zVkDwe_`J0-i78KZ5yLJVK5|IeSt<ZG`-YZj?s0}!Fsy!T79U3S$i#;Ii
z#HF5szD2?;#jrQY2au2;23c4;IPh&gO5h>|O@Nzd%@HKGI9JHR76mRDL2Bw7kZPw-
zp43EU>0vd|t2cWW+(SLgB~HLC*(cRhR?=UtL**mZN!RN5xVZ%dsqv?_fiU1M<;2!=
z@$ft?28{H0w@9m4<OmXBkugh+gCjAzZM=XE;w&6huD(_Cq~JEeQNX>7j*ia0@%-M5
zG2ur8k^ik4QusyCeRDDp)lO%yGUZAj9l5%`%Ru$?^Z++8Q~>MailU+-k?&n5VpXJz
zi;KZ!KE6AY;Lyx$F7%%6PK}Shz|A5ef+YrgV@)uD_Oo(wM&nNqPx4RKLS`B~;h^Dw
ztB7hy?cD)3UgfbA+Cmqg98Le_AC2hAlP6u7%H+wlz$mH9rm4W3LHER`2G;oRN9NTK
z6rvDFFVHv|q>n;FLP~*-S(^NEuYzEr$NU0@J;jg&qS=Tolx$6WZLM@vAckc?#lnJ>
z=E>{VodgLf0a)Z$Irxv^1^}12*;yzXRzP(@d|pYC1h`=g+!xx)W#h`ac4hRFe7NnD
zqT3%b8kx?Y2P?}kMRDzi*95d7d(e`=$ePX0LaAhn`TyMnKdg3d{(MTvv-o(>sG6A>
za}nBSGBPq&X9w?wK$K>R*9FLfN2MAZ5<;NcIhWMb)Xb3sXm}rTZEY=#oO$3bWgmLz
z^dk(*J>x2OZed|ujtSf`0W6!^@!+|r&z|+!TGUN>a|VN%4tawLM?sY$BPZ97ea$K#
zD$JDwd;*x#_<P6O-x?P|>7SaP*ZV#E=f|h#hm?7U41{Io*Vl;Cr04o7?Ddl@A-qBT
z3L^#ztt*cqA|ZKo&B;`KlMesU`y;%&69kgm76&r_ibc@k@&Qp97#L);tpe88-Ob0e
z;_6<kyXqhnUW?cd;M9<DadDb5H*ZGoiduXPej#KVITsih2-&wXR4VW1_dkUqM^NbI
zzo+n88%*hAIX=10VQL(q#1o`;J_G#8mCqZG{~Au-^ntr@)xgL+A!m}P1Tq*dv!)9;
zusP;DXX3{Cx_KBBtH@YThm;G_L69o`yxx|j`fRm-ZKhd$5A&%&U>JzdM2UsGlhX>s
z<i}5+W(uy2dj|pRQBmhk104{$8#E*kwyklv_|1eW)H#uR?vr&$zSq~i$jmO8RQ1Id
z&tf!hdP1*fXa#bq_zr|S=(S0NYmoA!f!YT2rEcRmPMJxz<wY)nJBd&({Vs|xzBo!K
zz4M>a4kx1$)GLC1(B~~bdAKv7ynM;@bLD;Plc!Gu=b+u{fWVNai-x9a^{Xo#c+Nxw
zHD`nVty{P3BBQKN2K?qiv_r$(SzV<tOSkyyMR+?Y8ed%VmtZu3J_(P~q|D6x8bD@q
zL&M3FCnvRxuVWCPX*4U-(LD$F<he9J+74`k1H_Ie=d|j;-U1q$9SgxvB(_Fv0@53l
zYAH6dnd#}05`eRD4g?WL^B)l>;jh}o;kowbAUXbCToiX4DTgf1k_|ewJ`dFb{bUg*
z6EZtLKVWfu3~Ta*420n<(8jc{VRHS!$%Ax1M@97?GR^SF$PrNFf0P(SBxsFWtE<jn
zC<2PG?MQMtI@rTpBM9LcjA$J4U&ZCWo2mz`#QdL2dc^;Yz2J)fuhj~|4FTH{YUKZ~
zghPZ)Q`ajpvc8D%2BU-!av7b_lFHt_6J|aJ=Vz$=E;au(tjs1iH}~*opR#$ZGguX4
zW5%ZUAtMoJnUf=Wb)a|nq{AmWfP3;X1W#m$fglBS#2a3;jE^~gEu*4P7tLo-l2%?G
zum1wWqQnijo{VhZ&H+K4zH?`l3Lq>hGBPre&oHC(IqL4+yQ3eRel~*dmq%+*Y8hf<
zbP{?eDKW7;I!r$i!;)Y}35vy;1lt?2$E4@4g3!GhsEy3xfjy8r34#f@GXU(gBg#R-
z9<VV7!FqT|ADZ@O&;p^~fCd%H-r3pt(<2MjA_*o16(eIcXjK&KC(&pzQPD!<k5{tv
z>K?y(^=iKJb@9_vr=#oVD>6|kj>2a_CxtqyoqWCVPl=AiZ^I*kV+{He&`<k-+FW99
zU*C<3%vhO4s=g1Lw_X`=9y*rjkdu>_Z~I^g5pl=X_ETkL-_-uq@@?S2&p>*=1h0>#
zG5(pKPki;t_(ND+V&W-c8ald-NJ3ME;&|rF8No32GsMI*1z_6u@z_1`_3?SpSs)6w
zDpZEGDtO;j6%7q94-b(7vmYMfDW5+1-nnz3m<%g(kG8yu^4MmV-wW{m_wV1q<NmA!
z_sp%ip`0-4a6EUJo4fVfH&PLlDK}i3NOmr1gYwkr)BAt_uB&Mwv;IazMag69I+TCN
zO3uBoO$BXWZYu+&BJ!bJtNDHS>xpg(XBQV$b@e%2SfDLUZSBC_4{2#_EiHKTkQs~+
z^y^fB9P+;M?XIXftb?f(4}OdnY!Zl((gyahj~!XZY%s2n5F8u~(8cgqr-L6iq?9k)
zwQC>lA5)f8nPO;YY1i+;{<@CU`1?XuLS1>cNewsV=H>NM8k%qxReVCi-tI1+;X8%%
zIn*>X!d`!jP4&Q;Qd3b0Pi&g~8WDX~h(lcbB_VpSL2b2whJey1-ooSrJ)0)1DozGk
zrQF49*YtgJnvUdPh42uAnO_+|i|VJ24iBH)g%<@Qi;GtXHiG}-@$qp#5ui(Gzz1Lf
zh)DC*-pY}`5mtOE53w$tm7N_!FZfl>X0olb)63a;lJFe|&!?v?;jun{mRJ&-1H318
z{kmHZ;TK|@olsvz4lrHxHxl{QwzlT{?tt(`&A{L=Z}q63!qP8Y`~_(oAY(Z{zt3|=
z?32|&)Yrn!#1TRYfJUaIL-#R}_X-%i85F|9*hpxi;re(#-XrC`BqFP(Xu%B&tvrPG
zw{L_!AS>e)1gUPxj}>4PH|&L!l$77u%d8KS+@!AX)EO;SgTr~CI#yymJ3ak%uO$}|
zqhnz3YkAp0w;F$wQ%uYUHsOGijYp;o%=oeCWu{^|bMv&sCbe`_%W=@?NPByfqy<ky
zZ*T83hdT6%MsPCZkbX5U*0t;U`xE$~>lanHy4>EtrbVzEiPcbG(-<NBU!|k~S2v`2
zQ~%F*Izvl@kZ_!+Nm0}?1QCW1PbJ<UhiAT6K-@bkxG8!Z0k4>6WM&TUADXtnO1rpp
z4|y-b(mhE@`Mtc{v9S4vvOK+T?>H|HaYM1=Rr;f|$Ztr&8jAKu7y<j)SZ-lUknZ<l
z@%_8nlMvohyt+Jfg>kXR#ij7ZEWHptT{SffU?~A*kQf{t92$;4z<S#|Dap98u(O|_
zHUFZGoNob?mWDVfeP8q1wQFOAe9vAY9FgTj2Gtp;j>opI{b?~o<mAeSuV+mAxL~ah
z^m%#eKFb^)r-v~;n2l3bddwgOoMYi^$bhV=sVUT>V`R;P8|Sz9;&}*PO$W0Rcc6_=
zPIdttD=#nq@yTm{Z*MrBnu_Y{Zn5VTAt88Hn&Y2=jwgB2$h^1u^*;d}2g9<#4`6s{
zG@5>@oxk?ZRNpI4Ejoc^{)Q1GR&zA%{qbr&`DhE|uh@f4t{ZO%$m+_gSO?(4d}n#m
z^uAdA1OkBlG65|2((U&pmyNE62e8TM+<0rXkYgx^?xTW-F{yGdt*9_5F-Hc~CUz%h
zNk9r62)92?N8KyN;(hP0&$cp<<-V0U$eg>#VI374+dMZ}8HAJhtz}?fHz$O8dBTo3
zJiVD<#X#rT@TjZiN&BCsW;=4w{=ZDk==WyG$=25|UT`yqAitGfypbqzxY-L-`P@|p
zdaIg9jEag%og~fq^T`Pb+3bm}A;ff4)YNofytvFL71boyonWr;U&9Qvw-f&vg=b2W
z4SKM>93cXaFm?Wm8t){)2N1Bp?jm9RhKQYcnJVRPRPezATqUOc@I9~@K|mND9VO;A
zf8lhJHwV#o0JA~-rk`6%x|u+^9tX23G$0@1@U?`GYq4o{*2A-!hzTM+Ii&Xy`w_oc
zO^01K4|D}kXM)~4xkzk7C0qRUi;D+cX7kN*C^;X|huu3ElmN|LRYj%iAcl#V8Aw_H
z436M1^xGWVh!5z|W4*6H9ttg3dV!pDb!l!>3hN@F(OoSVrTHEAj8kKNcJ=_wHX9G~
zT!RcPliuV$F7U`cq&^~n92+t$utfhWPPY5~>4t5USgkv;)pmEJd?8&vtmEg<OX0ig
zP3N8ZHaSE{X*7SzyOa&8rfeQ*>dD}6ebC~+{XE+bO%(KuH(6N(DG%mgpgU)y^68BK
z{QC8)3iEJVJg<J7xebHA)$udlIbd?C7L12{$A_S==;)1eDGO#lAPZeH4pCox1puh^
zxcKdWdGWKC^$p|9v}yQ&!zDA#Iw;sAwP476?RX*7cqKm$P+sCq7jPHBnTE8<1sa~K
z0BqvyZ9`+@=nfcN=mmQRC#bnVAx3{YU~91-<c?AhoPll_mzaM6`JA)S4SQ9Pnj*5I
z7y-A4=2<>WFGQ5{b}R~?BB4hR6QT(y&$Hr{(GM%YwHsVbO__QMO+M-QDYQ(@0G?*1
zqYFzuuY1Od7pewjx&1)l84?l)82N$em6k6<5AFogKir#p?)7JEVR12%B-{J#SB`o4
zOT75%TlYw}#+eh-@dWt`ya|O_f~>~D0iwJg0N!vJpmshSJiKPUzeTv^y}Y~<w!EEL
zlK?vM3_OpI7rsAc&;WN|YJ)BrRCUbg*{{Ds!*Z?%zz(pOVo(GC!&jlmn5ClU0DiT&
zX&T<Ovg-Z7!1cy==MT@)vuDprAHtf1u59O*MD+6zZiv~cTAEJ@83;lURcsdwaux7S
z0xULYa#N})YEzTQ0GXAPGhquvM}y-pr<v)S2sdDaPP$$EOl@u4cSZNAOh-Crcq#1K
z8$=f*6eMtzHQ2ja!>5QIsv==6<*ktuZP#$dKENRg8H8-2$4#S)_<48&gR;Dy03wMw
zCqhLCghCzUeAm*QmM5&FN6&$Z=4J&<M{qXeHXt-0OHb+E^Ri*{Z~P}bAP{P{25tjL
z1p6engXQ~kezVIp>uYPWy)X)Ks?#(6-GN71P7bHk18;A_)DppcjfoL??+TO;&>|F?
zYoLpHEDs4TxHvi-TE$8Zfcyn6NN`vf4BfO%{MNOg=EdQ~HpOL0W@O)~hdwCo{f}va
zDin=xfB_!m+@(EO2h{OflAt`5=fC7(zze2@E?*`ib`IWMoNkQjl-lQ8ew+Ym<?+*t
zH=>IgbVf!;&uiEeeqO2BhnmkVS&bcJ1}^}T!(bS6Y=FvF9Y=6gRk}kB7_2#&v>1D6
zcO=edEo-Q(J_*H_%^7aFLf&pil*R=J{Z^_(o<Ucx(fQF;&`$x^JqXk{_5pU@(Q)&j
zzg^Zv^1Y<n{7qHWi0NAeB{1{Jfe8-}r<Z)--kx~ry8AE43Dn)gDE^voo~(2fU%|f@
z_ob8JGeOQfd!5xmyi5d!wFm^d+eo445=?>$EYG#m4pI|_bLs-Hni`?r8XTO^1(&Wl
zj$~yZZY-Z641P}5VoEA1BzNh2e0;PUnZ#GOw)_|Ka?<d?^a{A@sC)wn3`JmsqHg9~
z>>4zxsV|Rt{6jD$4XOW(i$?R9L)Rku0fD{L<{M{jcyAQ?<$r!G9}h#DuZi}bn?AS;
zCJy+TU)Mok%s&$Entl+Nl#d6yp!kAbXl!ik7MD4&mB?BmiJdXGm^Oe_jMwhJ>Kp!t
z*(qej@!vMqpcp_A*(0%_k;K*wB<v`)e*dnwz<$9(R#KM0pjLTw;9e(n-+)VAS8($m
z$9z%|#+R_pv2?0ZkJYeExYAqq-lpYWRU!o{i1UksZVWRRfR+kBj2kpZEXqmQMA_s<
z1XAIOuHP%-hRo~8-%*~U5ePW)TYIg`sgYW!g?1SKJlxr-@t2FatTCS^O`mK;6Jd``
zG$MvFq_p$rM<YTC)R>}|C|r|OT=DCFed<09rRvVmh-XB)?V;;Vy4s8W)@_qQk#m~z
zR((MIWYBaA;J^?aLC_P-R+w~H*Ydilg)dz*AhF$*HOU0>05Jy}yhE^(_a_8zKVd>G
z_GA-NZLUm63kqtrsa=SQiTOQP%uJ^JhZ}dB<JK#p0E=pR{+r}hW#oA)ygWRZ)5BFB
z_I)~+&1xj9+h`c}VBqv<t2m(b8S6FZTg!}RK;yq-pcxs|NuMYm^H@tBXerkCf|HZe
zSX^bdzrX(!%10t817S5&O8<TJ*{fH}%gZF~1V<XS_kj<aKWy<E_2l=k5Wx>XxYyCv
z&N2Zq$1t__A0sitOwtdH{X)J`sz9w%OdX1wnmU{8uVQV+MVem5nd*%ig}%+Y3w2^V
zLy>roMF&z+`qlctZ6|^?tHQBR{Pl}1Nqf3db1s2-S46qbwP6+L0+H=RCnzuJ`qHs5
z$11vnGS_2D;%x~nVaDh30GJayL^m!ZK4rBeXAn)>UwSPGV*xxh4`9xg@^#axNIi*Y
z%ua}=w9E9#MCrX*>ScSFkjRi1?QvfkP*=0DvSKGqipoDJhg->tCY8$6ClitUCxmiM
zvH;~pQqo*$`{EdLuSl5n6*oqc;h#IeqQjern1XurRX9T4`VHFUu*`i8A#QAj8S@$T
z)F!AaZ>OBQBf~8I)^xSWwEg;Jx7OX>e&gkWOtG+LjI#U;4FC4M5ZH}273<ri2L%<I
z<{1a2$gmR+NFXVfunAn>S2HsZg58yNx&L7zLoIykC*X>kZxrBv@JUC4q<6=<3Z<#9
z+y>)wDQAK@e<jGP$HK<q*k3>V%bn_(OCO0;;mI1X;mXfIxw^S&p;JIy`)=k3^GV(>
zRgW1>(oxYd%^9Ngv6WldoaqvsFtcMm3Yi<Vl^dEiU+hgEilN}`R%?#S)Z;gUAK$FB
zyQ4|y1rSVq`)xy$LJ#INd#(EVKBA(xppoZ)m^t(3v@!SCT`ukVN2*vaBm3TGI4vXy
zk71}RI&aiilmWNR{##8X&p*#s<}iGvFgiAt?)c-SPU_#`Ac0KX)Yj2yOm2i}hFsoB
zkoYv$rH|HPK^~{|UFk{>ntC+=%Q{`thsB4A-{R!u<>lfc`m(UH;*=Cr`o(s$jSxL~
zZfN=?4{ho`yJl*^4~+M(!i35dc`Yn<^4BjStA)7`HKOl2H;FAAZeqonnyj>5O>tho
zeqQ55A*E1w+eXJf&af~a@BBHlihBv=#6DNj5eg}qGJqr-E_X%JP8EesTO?KTrz7qT
zxShNQ;g)qHDoKGDb>>MYcxhSsPv4OI6G-Ap>OXj7vIiqfuWXg&jy~o@jY)_SS9^8Z
zz}+w&CqHTP=8F_MNV{df%y<NnI!SLqP@zJKBD%3Y_iGIa|0T~$<EVUd2PO7u*W7f$
zdy9HVp6Xk;D&LkoxEPi9t#YRcrk~T3lPnF6dO|d7(rEkSm;1_iBX51<WQ^vDhh^cX
zuvb;Tz1bdJWzVOd4%q=@;9+xBo)T!sBu_rhJ`a%>_-1^m!N7}LaWQKq!a^QF?v`+(
zx4)Z25ooqDI%#}KVJ(a)@5nfeQ3FR~4qpR2{}0w&w5(*I`c^bLRm@#N3x_xSrkOSO
zB1C;T;!C<Z4B{p%dRX$UcEBamQ62X}GXP)S)j@J>H+1zMbaCMD+zN_{s>j0V1$T<6
ztsd!r_|J={4`pU%isT}weJwSSHW_%(Zb3Cw-7mrwQ~P+4OD>koL@*J|`C4Lu*JmRe
zPOPWWn72JS|Hi?x^4-_R6g<4xe?D1&DDhsKekmFPPp@5ZLP)7%=cw}Gp*W4X_obV<
z_~|F-?KD+msB^1<F67#&a;Ax*!lu-$7+Gm{>?(UoI78dCxOou$Wv$ORZ`l3?plJSV
zbJLwCZ63Idike!6r~Na)v|ki-^$FJkJxj4sDPKxegdt^(Qj|ph+!9fGrE+~jsH7n7
zG3YlN^WWsp(d*w69~mAlrPb^OX*4bJdrKiBP|iSSozE0+cw}5!NUgrS8Df^V&YreA
z8|jNP&f5`ku*N#WOw(O~*I>FL)e9#l&0*B<qt6CMesJh<v0{D-OaVF!m3$cr5zs|O
z%HO9azS?+156ht3t~r)D-R6r!z#u-$OHR9V7!&gapcj~wiy!g%$L`n6Tn1$vrX<1d
zPtd7@DGQQ~D-5pn1|{6v&6<XJqDG<LTUeMwc~?x3b{wo{jdF%Op?d0hXO2~Q5IdGi
z-(&1UJKtEXmQjC_kPz}t@uL1A6&EkUh3j}u??_HtYBm%QFV2aswj;t^XE`>#Qro(m
zq*0RREzBI2W@>987LV0m3RBinfvnt#aiWuW!p_Eal*`_AGetV!2$&wtinum6I3Z7x
zk}BbBgmD*;Eex@lAriF3brpfDvj8wOV0Gb01<U#1ClW(6`&L|Uam$3|w+c(oK_p~q
z?`f@q(T!CnS>QZVU^)8U5gep|KJG3}!0Jhx^C{=d7kaW+?9RoHMq+upmODE-4nQ1N
z=kv5iA8e00m4q7;7B=h68^DcL)}Uy@2x<xbT*a<hsdVVHTH|AiNMB)3`Un5)wY42J
zmqw}3M-hSqcm5Z-I>GS{y|5nyt+fOOVL|&=dYDOn-j)5@wZWn4Y}jv?Y)fULM#+~~
z*2Dg4aZ}OKhH|umaZ#v=%oWTAkz@CA^EaqmN%8Rw_~KyHpRtcY^Dhz_@VRCxl7dA=
z3*n(pL!Df3LO;gFXs$O=ilFfzxbu>g<w$ByoCVYk-jto=8i9&k19}hVUW}@1Z``<{
z9CJ>WQ`*xGT+!E6VA(c(C^U*W27nFSq-cB$LIOk(Ks&m7y07{Q1R8<u0<Y=7cbgst
zjDPky_c&nk=g*&0Q(ty#_0jm<-Q6coC?tgG#YVi32~Ha{ceByrW|!uSGx%rLPxOOO
zbx`6!rGt4$fX(!Z35_@Z)=jt8Lh=CUCpa@BHAODPRi8cy9Tn&x13~v&0Z0Tcgo*r3
z4w#Yq{+;YnPnBde*eoFZtB#5U$ik3ZW~LQjf%;E>u`>CmjI=Ac-Q3&^X++eGjLt=h
z3kf|_ltq`^yXPVE4$O&MbP0@YyPb4Ig8W8$Ol0-}gfo?^moGntcO~(Ii~@4v!HfKn
zM+VK&XX{}c2LCZ=vN@&7bxw^|aVs(Z`Sa(mUo-zuLmMC(8yne`qI2s5z7O6ZCdQZ_
zz-Y6)g++Q<nb5IIk&#S7q?17|qMiNHrEg!pu(GoUDZ21GOw=&y@*I5!z3&33$&VjD
zj+FmIts^7S*5BWMPW-wS^5sQPN6Aa`<5E)}H{m=zuY&MYviqhmCntxyUV<tDG)p*P
zBmBmI28X9j60xV{tD_s?&^9(+o}agIxX%DrX39l*dwX}JTz{^p#hO7(p^VH#m52Ts
zGuq$SGoZ~N)^v6jfU9<~KpKD&y*&LE#iM2?T-vCBwo3$Y@$~7_N14fN%P0l30lKxd
z74Gt&=mxnbG6Pi@4p0WZf7?6GoQ{R3?i_D5pu*{8{eTi;3aohr9BSD6``2i%fd8L&
z)2*Et0?JkR{^SrE1VYckkLO9w$r3L7MEW{$WmT2YXbbAA|GzJQ`t9NA`941m4Fe^^
z@P3wK4H$CdGrw3H84-c__Z4vPKEvq?7njoa8bZRt@g{iiUxg*ce*6$Q@D83Qd<_d0
z_q6)+=kk#uu!pAv?tz4i086T_P9`RWu%OegsgWRJTeh{e5vC<Cd7Py(K|q!AaRHlz
zN<4+kaUKo>kiNPBa?>YpMYDR+zAeLJFT}Aosg1yN6h9YMhDZJW{mXpjA7`S%X-S*a
zKyvSwJ-99^YVhl}`(u<6`pG?(D_5u-??&xkGC8Pf9i|3>n3OO>^sb2xr29r>8L<Gw
z>qh!LZXGI!q>oiqv{>v~KJ?ZRikYaSfL?J{)<-6A>)JZB^g=cyi$gZP!9Xqv8-`Lr
zKY1w^&2O2?{u`{8>Ag;FD!Bd(tw6mBwFyE@iwgXPpy+6lvV5ng%Xm;nrn1vfDwkN5
z&bGC;7i_S{aj4tC_JM@~L73}1_<Qv_kuNhd^NqcVr-Z|Xe0<BG!RFPk5@Rs=qbFEE
z#|=8?ZKAG9!@ywtvmef08eAuO*jLXQXf$4&bXIpGC`B9DfTHMi?VBgw>+8e8d^;fk
z!at_<E`XYhZKnJ9JhEz9n#20e9Z^wHXEsgn1n4r{-cIfM?Od_cfL$Gb31vs(n4D3(
z0hNOaABF_DZ)=;QFJ1ebwbkFxZ<e`x{o3fCRv^8{{`bMVX*t#!gwghUj*ohJv>kYl
zMO~&9Ji)&T|5!#i{uFIOGy^Ia&uq|0O&0#$yDLC+2s=a3&LSW{q2WOJmS_e%T76dP
zlb^E?g63zG2{&xbvciWK_yg9u^(Y*xgoA+?v;he4!I+XNyap6aHMO>H-x8Sm!VN%T
zR^b0y2}k4X7;*2hU7!y-@XlXPBndnyeLg#TXE`ng1y4zN_Uu`L$HIM@d=-z!!<6e_
zcehsI3s5GlZzD5kyI^Jq$e-LrI19waYi2e9%SS5;M+oD<&EnR1Gei#~Www94Q?s+P
z;Y41^P}jhKUK^;@Oct@Qg$9V+w_zb6TR<LxSF%0OD!6v&g)HX=A&o`xA@nMO6&r9G
z9&OGA2BDOh{c+)S5O57ez#)e|y4gBdIyu$)?X44LF8Ng9f&#hK(m=<E?sn6*w6+?4
z@+^YUF&Ni@qkxaD9)q_H$JpR-lUdZcU~e=9HFbRk;lQlS0aU2{-Cdc}FtKmuw-!Rb
zcp`xE0L*w$RkpUbr92kn#iEsAC|&y-fqn#?CLf2<ZBWo-vLhZpR(c8N^2#c~Zmrm5
z7IV$YT`X_|sR~DJhlJy{VZ?NoCx_qC9p@557rqb82lyulc%^;^(guiywdab;aHI&o
zExmZWE&@g!SUSI1PYBl9b~5=y)s2oO6Mi2Bg4k)Sug^ZS#u1Z}OpJ`$RX9DQbB+um
z%H|vFIP|4CrC*?|lF!_+wvLF0dxyQTfnw3{Zf$e(U^<FFD;9KVNu1A2%ryly9Fjx*
zWy3!wexcto?-fXu@AYE^U{W-W>UMff-9Ntx${pA@U~PJT5r?q2L^%DsLYVXCLm#oh
z<VZp2A^c?iyTl7l3KyQUI%ao1*mWtVT%DD6|J4P0AZTsJlrSkWklPo4VY_&&^8~|k
zuDlM0#>GqtM+mAEHK%fA3y)#?VJ0`0Q3a$DxH=r*B4UNp(hcwSq$9RTVy3fxq{E?j
OgsS2#g|~9%f&T-<Erz53

literal 0
HcmV?d00001


From 6de3e8b5c5a5b436b4382496fc09a6869547d7c3 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 27 Feb 2023 08:28:29 -0600
Subject: [PATCH 05/14] Change action map to list so we don't loose action
 order

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 122 ++++++++++-----------
 1 file changed, 60 insertions(+), 62 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index aa0e631..727b74f 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -91,28 +91,28 @@ type Hardware struct {
 
 type HardwareSpec struct {
 	// NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface.
-	//+kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MinItems=1
 	NetworkInterfaces NetworkInterfaces `json:"networkInterfaces,omitempty"`
 
 	// IPXE provides iPXE script override fields. This is useful for debugging or netboot
 	// customization.
-	//+optional.
+	// +optional.
 	IPXE IPXE `json:"ipxe,omitempty"`
 
 	// OSIE describes the Operating System Installation Environment to be netbooted.
 	OSIE OSIE `json:"osie,omitempty"`
 
 	// Instance describes instance specific data that is generally unused by Tinkerbell core.
-	//+optional
+	// +optional
 	Instance Instance `json:"instance,omitempty"`
 
 	// StorageDevices is a list of storage devices that will be available in the OSIE.
-	//+optional.
+	// +optional.
 	StorageDevices []StorageDevice `json:"storageDevices,omitempty"`
 
 	// BMCRef references a Rufio Machine object. It exists in the current API and will not be changed
 	// with this proposal.
-	//+optional.
+	// +optional.
 	BMCRef LocalObjectReference `json:"bmcRef,omitempty"`
 }
 
@@ -122,48 +122,48 @@ type NetworkInterface struct {
 	DHCP DHCP `json:"dhcp,omitempty"`
 
 	// DisableDHCP disables DHCP for this interface. Implies DisableNetboot.
-	//+kubebuilder:default=false
+	// +kubebuilder:default=false
 	DisableDHCP bool `json:"disableDhcp,omitempty"`
 
 	// DisableNetboot disables netbooting for this interface. The interface will still receive
 	// network information speified on by DHCP.
-	//+kubebuilder:default=false
+	// +kubebuilder:default=false
 	DisableNetboot bool `json:"disableNetboot,omitempty"`
 }
 
 // DHCP describes basic network configuration to be served in DHCP offers.
 type DHCP struct {
 	// IP is an IPv4 address.
-	//+kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
+	// +kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
 	IP      string `json:"ip,omitempty"`
 
 	// Netmask is an IPv4 netmask.
-	//+kubebuilder+validation:Pattern="^(255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)"
+	// +kubebuilder+validation:Pattern="^(255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)"
 	Netmask string `json:"netmask,omitempty"`
 
 	// Gateway is the default gateway address.
-	//+kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
-	//+optional
+	// +kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
+	// +optional
 	Gateway string `json:"gateway,omitempty"`
 
-	//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9]"[A-Za-z0-9\-]*[A-Za-z0-9])$"
-	//+optional
+	// +kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9]"[A-Za-z0-9\-]*[A-Za-z0-9])$"
+	// +optional
 	Hostname string `json:"hostname,omitempty"`
 
 	// VLANID is a VLAN ID between 0 and 4096.
-	//+kubebuilder:validation:Pattern="^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$"
-	//+optional
+	// +kubebuilder:validation:Pattern="^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$"
+	// +optional
 	VLANID string `json:"vlanId,omitempty"`
 
-	//+optional
+	// +optional
 	Nameservers []Nameserver `json:"nameservers,omitempty"`
 
-	//+optional
+	// +optional
 	Timeservers []Timeserver `json:"timeservers,omitempty"`
 
-	// 24h default
-	//+kubebuilder:default=86400
-	//+kubebuilder:validation:Minimum=0
+	// 24h default.
+	// +kubebuilder:default=86400
+	// +kubebuilder:validation:Minimum=0
 	LeaseTime int32 `json:"leaseTime"`
 }
 
@@ -175,18 +175,18 @@ type Netboot struct {
 
 	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
 	// space.
-	//+optional
+	// +optional
 	KernelParams []string `json:"kernelParams,omitempty"`
 }
 
 // IPXE describes overrides for IPXE scripts. At least 1 option must be specified.
 type IPXE struct {
 	// Content is an inline iPXE script.
-	//+optional
+	// +optional
 	Content *string `json:"inline,omitempty"`
 
 	// URL is a URL to a hosted iPXE script.
-	//+optional
+	// +optional
 	URL *string `json:"url,omitempty"`
 }
 
@@ -195,11 +195,11 @@ type IPXE struct {
 // service such as Tinkerbell's Hegel. The core Tinkerbell stack does not leverage this data.
 type Instance struct {
 	// Userdata is data with a structure understood by the producer and consumer of the data.
-	//+optional
+	// +optional
 	Userdata string `json:"userdata,omitempty"`
 
 	// Vendordata is data with a structure understood by the producer and consumer of the data.
-	//+optional
+	// +optional
 	Vendordata string `json:"vendordata,omitempty"`
 }
 
@@ -207,20 +207,20 @@ type Instance struct {
 type NetworkInterfaces map[MAC]NetworkInterface
 
 // MAC is a Media Access Control address.
-//+kubebuilder:validation:Pattern="^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$"
+// +kubebuilder:validation:Pattern="^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$"
 type MAC string
 
 // Nameserver is an IP or hostname.
-//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+// +kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 type Nameserver string
 
 // Timeserver is an IP or hostname.
-//+kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
+// +kubebuilder:validation:Pattern="^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 type Timeserver string
 
 // StorageDevice describes a storage device path that will be present in the OSIE.
 // StorageDevices must be valid linux paths.
-//+kubebuilder:validation:Pattern="^(/[^/ ]*)+/?$"
+// +kubebuilder:validation:Pattern="^(/[^/ ]*)+/?$"
 type StorageDevice string
 ```
 
@@ -251,8 +251,9 @@ type OSIESpec struct {
 
 ```go
 // Template defines a set of actions to be run on a target machine. The template is rendered
-// prior to execution where it is exposed to Hardware and user defined data. All fields within
-// TemplateSpec may contain template values. See https://pkg.go.dev/text/template for more details.
+// prior to execution where it is exposed to Hardware and user defined data. Most fields within the
+// TemplateSpec may contain templates values excluding .TemplateSpec.Actions[].Name.
+// See https://pkg.go.dev/text/template for more details.
 type Template struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -264,34 +265,34 @@ type TemplateSpec struct {
 	// Actions defines the set of actions to be run on a target machine. Actions are run sequentially
 	// in the order they are specified. At least 1 action must be specified. Names of actions
 	// must be unique within a Template.
-	//kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MinItems=1
 	Actions []Action `json:"actions,omitempty"`
 
 	// Volumes to be mounted on all actions. If an action specifies the same volume it will take
 	// precedence.
-	//+optional
+	// +optional
 	Volumes []Volume `json:"volumes,omitempty"`
 
 	// Env defines environment variables to be available in all actions. If an action specifies
 	// the same environment variable it will take precedence.
-	//+optional
+	// +optional
 	Env map[string]string `json:"env,omitempty"`
 }
 
 // Action defines an individual action to be run on a target machine.
 type Action struct {
-	// Name is a unique name for the action.
+	// Name is a unique name for the action. It cannot be a templated value.
 	Name string `json:"name,omitempty"`
 
 	// Image is an OCI image.
 	Image string `json:"image,omitempty"`
 
 	// Cmd defines the command to use when launching the image.
-	//+optional
+	// +optional
 	Cmd string `json:"cmd,omitempty"`
 
 	// Args are a set of arguments to be passed to the container on launch.
-	//+optional
+	// +optional
 	Args []string `json:"args,omitempty"`
 
 	// Env defines environment variables used when launching the container.
@@ -299,13 +300,13 @@ type Action struct {
 	Env map[string]string `json:"env,omitempty"`
 
 	// Volumes defines the volumes to mount into the container.
-	//+optional
+	// +optional
 	Volumes []Volume `json:"volumes,omitempty"`
 
 	// NetworkNamespace defines the network namespace to run the container in. This enables access 
 	// to the host network namespace.
 	// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-	//+optional
+	// +optional
 	NetworkNamespace string `json:"networkNamespace,omitempty"`
 }
 
@@ -350,21 +351,21 @@ type WorkflowSpec struct {
 
 	// TemplateData is user defined data that is injected during template rendering. The data
 	// structure should be marshalable.
-	//+optional
+	// +optional
 	TemplateData map[string]any `json:"templateData,omitempty"`
 
 	// Timeout defines the time the workflow has to complete. The timer begins when the first action
 	// is requested. When set to 0, no timeout is applied.
-	//+kubebuilder:default=0
-	//+kubebuilder:validation:Minimum=0
+	// +kubebuilder:default=0
+	// +kubebuilder:validation:Minimum=0
 	Timeout time.Duration `json:"timeout,omitempty"`
 }
 
 type WorkflowStatus struct {
-	// Actions is the map of rendered actions and their status'.
-	Actions map[string]ActionStatus `json:"actions,omitempty"`
+	// Actions is a list of action states.
+	Actions []ActionStatus `json:"actions,omitempty"`
 
-	// StartedAt is the time the first action was requested. Nil indicates the workflow has not
+	// StartedAt is the time the first action was requested. Nil indicates the Workflow has not
 	// started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
@@ -388,7 +389,7 @@ type ActionStatus struct {
 	// Rendered is the rendered action.
 	Rendered Action `json:"rendered,omitempty"`
 
-	// StartedAt is the time the action was requested. Nil indicates the action has not started.
+	// StartedAt is the time the action was requested. Nil indicates the Action has not started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
 	// State describes the current state of the action.
@@ -427,11 +428,11 @@ const (
 
 ### Workflow state machine
 
-![Workflow state machine](https://raw.githubusercontent.com/tinkerbell/roadmap/latest/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
+![Workflow state machine](https://raw.githubusercontent.com/chrisdoherty4/tinkerbell-roadmap/feat/crd-refactor/design/images/tinkerbell_crd_refactor/workflow_state_machine.png)
 
 ### Action state machine
 
-![Action state machine](https://raw.githubusercontent.com/tinkerbell/roadmap/latest/design/14_tinkerbell_crd_refactor/workflow_state_machine.png)
+![Action state machine](https://raw.githubusercontent.com/chrisdoherty4/tinkerbell-roadmap/feat/crd-refactor/design/images/tinkerbell_crd_refactor/action_state_machine.png)
 
 ### Resource validation
 
@@ -439,25 +440,18 @@ Each CRD will leverage [CEL](https://kubernetes.io/blog/2022/09/23/crd-validatio
 
 ### Data and functions available during template rendering
 
-Templates will have access to a subset of `Hardware` data when they are rendered. Injecting `Hardware` data was outlined in a [previous proposal](https://github.com/tinkerbell/proposals/tree/e24b19a628c6b1ecaafd566667155ca5d6fd6f70/proposals/0028). The existing implementation only injects disk that will, based on this proposal, be sourced from the `.Hardware.StorageDevices` list.
-
-The previous proposal did not outline a set of custom functions injected into templates. The custom functions are detailed in [`template_funcs.go`](https://github.com/tinkerbell/tink/blob/main/internal/workflow/template_funcs.go) and include:
-
-* `contains`: determine if a string contains a substring.
-* `hasPrefix`: determine if a string has a prefix.
-* `hasSuffix`: determine if a string has a suffix.
-* `formatPartition`: formats a string representing a device path with a specific partition. For example, `{{ formatPartition "/dev/sda" 1 }}` will result in `/dev/sda1`.
+Templates will have access to a subset of `Hardware` data when they are rendered. Injecting `Hardware` data was outlined in a [previous proposal](https://github.com/tinkerbell/proposals/tree/e24b19a628c6b1ecaafd566667155ca5d6fd6f70/proposals/0028). The existing implementation only injects disk that will, based on this proposal, be sourced from the `.Hardware.StorageDevices` list. This will continue to be available for new templates.
 
-These functions will continue to be available during template rendering.
+All existing, custom template functions detailed in [`template_funcs.go`](https://github.com/tinkerbell/tink/blob/main/internal/workflow/template_funcs.go) will continue to be available during template rendering.
 
-### Hegel Changes
+### Hegel API Changes
 
 Hegel will undergo a reduction in the endpoints it serves because the data is no longer available on the `Hardware` resource. Minimally, Hegel will serve the following endpoints:
 
 * `/2009-04-04/meta-data/instance-id`
 * `/2009-04-04/user-data`
 
-This ensures compatability with the cloud-init that explores the API via the `instance-id` endpoint.
+This ensures compatability with cloud-init that explores the API via the instance ID endpoint.
 
 ## Migrating from v1alpha1 to v1alpha2
 
@@ -501,20 +495,24 @@ Workflows operate as a state machine (detailed in [Workflow state transition](#w
 
 For these reasons, we think it would be more appropriate to have explicit fields to represent state and consider a separate conditions proposal that compliments the CRDs.
 
+### `ActionState` and `WorkflowState`
+
+Having 2 separate types helps decouple the Action and Workflow state machines. This ensures adding or removing states from Actions or Workflows will not impact the other.
+
 ## Implementation Plan
 
 1. All services that have unreleased changes will be released under a new version. This provides a baseline of functional services that can be used in the Tinkerbell Helm charts.
 
 2. Develop the code to leverage the `v1alpha2` API.
 
-3. Hard cut over to the new API version. This means versions beyond those specified during (1) will no longer support the `v1alpha1` API.
+3. Hard cut over to the new API version. This means service versions beyond those specified during (1) will no longer support the `v1alpha1` API and consumers will be forced to convert their resources.
 
 ## Future Work
 
-Introducing mechanisms to propagate reasons and user readable messages for action failure. As these mechanisms do not exist currently and will not be realized through this proposal, the `.Workflow.Status.Reason` and `.Workflow.Status.Message` will have minimal benefit to the end user. The separate proposal will address the contract between actions and Tink Worker that can be used to propogate a reason and message to workflows.
+Introducing mechanisms to propagate `Reason` and `Message` values for action failure. As these mechanisms do not exist currently and will not be realized through this proposal, the `.Workflow.Status.Reason` and `.Workflow.Status.Message` will have minimal benefit to the end user. The separate proposal will address the contract between actions and Tink Worker that can be used to propogate a reason and message to workflows.
 
 Maintainers have informally discussed inverting the relationship between `Hardware` and Rufio CRDs. This is necessary for defining a precedent on how to extend Tinkerbell functionality without expanding the scope of core Tinkerbell CRDs.
 
 Introduction of user defined metadata to be served by Hegel that could facilitate user defined actions. Similarly, injection of additional `Hardware` data when templates are rendered will be addressed on a separate ad-hoc basis.
 
-Separation of `Hardware.Instance` data into a separate CRD possibly owned by Hegel. Given the instance data is unused by the core Tinkerbell stack it 
+Separation of `Hardware.Instance` data into a separate CRD possibly owned by Hegel. Given the instance data is unused by the core Tinkerbell stack we anticipate, in conjunction with adjusting the relationship between Rufio and Tink CRDs, that instance metadata will be deprecated on this API and transitioned to a separate CRD.

From 66e3a12b39bbebf83f4035e8ab5792bc78e947d3 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 27 Feb 2023 08:30:14 -0600
Subject: [PATCH 06/14] Update ToC

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 727b74f..928d4f2 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -13,14 +13,16 @@
       - [`OSIE`](#osie)
       - [`Template`](#template)
       - [`Workflow`](#workflow)
-    - [Workflow state transition](#workflow-state-transition)
-    - [Webhooks](#webhooks)
+    - [Workflow state machine](#workflow-state-machine)
+    - [Action state machine](#action-state-machine)
+    - [Resource validation](#resource-validation)
     - [Data and functions available during template rendering](#data-and-functions-available-during-template-rendering)
-    - [Hegel Changes](#hegel-changes)
+    - [Hegel API Changes](#hegel-api-changes)
   - [Migrating from v1alpha1 to v1alpha2](#migrating-from-v1alpha1-to-v1alpha2)
   - [Rationale](#rationale)
     - [Comparison with existing resources](#comparison-with-existing-resources)
     - [Use of explicit `State`, `Reason` and `Message` fields vs conditions](#use-of-explicit-state-reason-and-message-fields-vs-conditions)
+    - [`ActionState` and `WorkflowState`](#actionstate-and-workflowstate)
   - [Implementation Plan](#implementation-plan)
   - [Future Work](#future-work)
 

From 4bd09ed46f7ddae057e6b2bebb0a6e5c8a39e396 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 27 Feb 2023 17:10:35 -0600
Subject: [PATCH 07/14] Update to use conditions

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md    | 137 ++++++++++++++----
 .../tinkerbell_crd_refactor/action_state.puml |   4 -
 .../action_state_machine.png                  | Bin 13184 -> 12057 bytes
 3 files changed, 107 insertions(+), 34 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 928d4f2..f205b30 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -133,17 +133,18 @@ type NetworkInterface struct {
 	DisableNetboot bool `json:"disableNetboot,omitempty"`
 }
 
-// DHCP describes basic network configuration to be served in DHCP offers.
+// DHCP describes basic network configuration to be served in DHCP OFFER responses. It can be
+// considered a DHCP reservation.
 type DHCP struct {
-	// IP is an IPv4 address.
+	// IP is an IPv4 address to serve.
 	// +kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
 	IP      string `json:"ip,omitempty"`
 
-	// Netmask is an IPv4 netmask.
+	// Netmask is an IPv4 netmask to serve.
 	// +kubebuilder+validation:Pattern="^(255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)"
 	Netmask string `json:"netmask,omitempty"`
 
-	// Gateway is the default gateway address.
+	// Gateway is the default gateway address to serve.
 	// +kubebuilder:validation:Pattern="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
 	// +optional
 	Gateway string `json:"gateway,omitempty"`
@@ -157,12 +158,15 @@ type DHCP struct {
 	// +optional
 	VLANID string `json:"vlanId,omitempty"`
 
+	// Nameservers to serve.
 	// +optional
 	Nameservers []Nameserver `json:"nameservers,omitempty"`
 
+	// Timeservers to serve.
 	// +optional
 	Timeservers []Timeserver `json:"timeservers,omitempty"`
 
+	// LeaseTime to serve.
 	// 24h default.
 	// +kubebuilder:default=86400
 	// +kubebuilder:validation:Minimum=0
@@ -376,14 +380,8 @@ type WorkflowStatus struct {
 	// enter a WorkflowStateFailed if 1 or more Actions fails.
 	State WorkflowState `json:"state,omitempty"`
 
-	// Reason is a short CamelCase word or phrase describing why the Workflow entered
-	// WorkflowStateFailed. It is not relevant when the State field is not WorkflowStateFailed.
-	Reason string `json:"reason,omitempty"`
-
-	// Message is a free-form user friendly message describing why the Workflow entered the
-	// WorkflowStateFailed state. Typically, this is an elaboration on the Reason. It is not
-	// relevant when the State field is not WorkflowStateFailed.
-	Message string `json:"message,omitempty"`
+	// Conditions details a set of observations about the Workflow.
+	Conditions Conditions
 }
 
 // ActionStatus describes status information about an action.
@@ -392,7 +390,7 @@ type ActionStatus struct {
 	Rendered Action `json:"rendered,omitempty"`
 
 	// StartedAt is the time the action was requested. Nil indicates the Action has not started.
-	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+	StartedAt metav1.Time `json:"startedAt,omitempty"`
 
 	// State describes the current state of the action.
 	State ActionState `json:"state,omitempty"`
@@ -411,9 +409,17 @@ type ActionStatus struct {
 type WorkflowState string
 
 const (
+	// WorkflowStatePending indicates the workflow is in a pending state.
 	WorkflowStatePending   WorkflowState = "Pending"
+
+	// WorkflowStateRunning indicates the first Action has been requested and the Workflow is in
+	// progress.
 	WorkflowStateRunning   WorkflowState = "Running"
+
+	// WorkflowStateSucceeded indicates all Workflow actions have successfully completed.
 	WorkflowStateSucceeded WorkflowState = "Succeeded"
+
+	// WorkflowStateFailed indicates an Action entered a failure state.
 	WorkflowStateFailed    WorkflowState = "Failed"
 )
 
@@ -421,13 +427,96 @@ const (
 type ActionState string
 
 const (
+	// ActionStatePending indicates an Action is awaiting execution.
 	ActionStatePending      ActionState = "Pending"
+
+	// ActionStateRunning indicates an Action has begun execution.
 	ActionStateRunning      ActionState = "Running"
+
+	// ActionStateSucceeded indicates an Action completed execution successfully.
 	ActionStateSucceeded    ActionState = "Succeeded"
+
+	// ActionStatFailed indicates an Action failed to execute. Users may inspect the associated
+	// Workflow resource to gain deeper insights into why the action failed.
 	ActionStateFailed       ActionState = "Failed"
 )
 ```
 
+A `Started` condition will be used to indicate the workflow has started and is observed based on the presence of `Workflow.WorkflowStatus.StartedAt`. It's severity will be `ConditionSeverityInfo` and its default Status will be `ConditionStatusFalse`.
+
+A `Succeeded` condition will be used to indicate the workflow succeeded indicated by a status of `ConditionStatusTrue`. When an action fails, `Succeeded` will become `ConditionStatusFalse` with severity `ConditionSeverityError` and the `Reason` and `Message` will be propagated from the failed `ActionStatus`.
+
+#### Conditions
+
+The conditions data structure will only be available on the `Workflow` CRD but is designed to be applicable to other resources. It provides the foundational components for extensible observations about any resource that it resides on.
+
+```go
+// ConditionType 
+type ConditionType string
+
+// ConditionSeverity expresses the severity of a Condition Type failing.
+type ConditionSeverity string
+
+const (
+  // ConditionSeverityError indicates the condition should be treated as an error.
+  ConditionSeverityError ConditionSeverity = "Error"
+
+  // ConditionSeverityWarning indicates the condition shouldbe investigated but the system may
+  // continue to work.
+  ConditionSeverityWarning ConditionSeverity = "Warning"
+
+  // ConditionSeverityInfo indicates the condition is informational only.
+  ConditionSeverityInfo ConditionSeverity = "Info"
+
+  // ConditionSeverityNone indicates the condition has no severity.
+  ConditionSeverityNone ConditionSeverity = ""
+)
+
+// ConditionStatus expresses the current state of the condition.
+type ConditionStatus string
+
+const (
+	// ConditionStatusUnknown is the default status and indicates the condition cannot be
+	// evaluated to either ConditionStatusTrue or ConditionStatusFalse.
+	ConditionStatusUnknown ConditionStatus = "Unknown"
+
+	// ConditionStatusTrue indicates the condition has been evaluated as true.
+	ConditionStatusTrue ConditionStatus = "True"
+
+	// ConditionStatusFalse indiciates the condition has been evaluated as false.
+	ConditionStatusFalse ConditionStatus = "False"
+)
+
+// Condition defines an observation on a resource that is generally attainable by inspecting 
+// other status fields.
+type Condition struct {
+   // Type of condition.
+   Type ConditionType `json:"type"`
+
+   // Status of the condition.
+   Status ConditionStatus `json:"status"`
+
+   // Severity with which to treat failures of this type of condition.
+   // +kubebuilder:default="Error"
+   // +optional
+   Severity ConditionSeverity `json:"severity,omitempty"`
+
+   // LastTransitionTime is the last time the condition transitioned from one status to another.
+   LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+   // Reason for the conditions last transition.
+   // +optional
+   Reason string `json:"reason,omitempty"`
+
+   // Message is a human readable message indicating details about the last transition.
+   // +optional
+   Message string `json:"message,omitempty"`
+}
+
+// Conditions define a list of observations of a particular resource.
+type Conditions []Condition
+```
+
 ### Workflow state machine
 
 ![Workflow state machine](https://raw.githubusercontent.com/chrisdoherty4/tinkerbell-roadmap/feat/crd-refactor/design/images/tinkerbell_crd_refactor/workflow_state_machine.png)
@@ -457,7 +546,9 @@ This ensures compatability with cloud-init that explores the API via the instanc
 
 ## Migrating from v1alpha1 to v1alpha2
 
-Given the relative immaturity of the Tinkerbell API we will not provide any migration tooling from `v1alpha1` to `v1alpha2`. Users will be required to manually convert `Hardware` and `Template` resources. `Workflow` resources are considered ephemeral and can generally be deleted.
+We will provide a basic utility for converting v1alpha1 `Hardware` and `Template` resources to the v1alpha2 version. For fields that cannot be represented in the v1alpha2 API the data will be dropped.
+
+`Workflow`s are considered ephemeral and should be recreated by the end user.
 
 ## Rationale
 
@@ -491,16 +582,6 @@ Reasons for failures have been introduced as a core concept, via the `Reason` fi
 
 The `Workflow` provides a `TemplateData` field that can be used to inject arbitrary data into templates. This facilitates users wanting to model variable data on `Template`s that has per-`Workflow` values.
 
-### Use of explicit `State`, `Reason` and `Message` fields vs conditions
-
-Workflows operate as a state machine (detailed in [Workflow state transition](#workflow-state-transition)). [Conditions represent observations](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties) about a resource and are not state machines in and of themeselves. Conditions should generally be complimentary to existing resource information, not replace it. Conditions in the Kubernetes API have a [well defined set of fields](https://github.com/kubernetes/community/blob/4c9ef2d/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties). Some tools such as [Cluster API](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20200506-conditions.md) break away by defining their own condition expectations.
-
-For these reasons, we think it would be more appropriate to have explicit fields to represent state and consider a separate conditions proposal that compliments the CRDs.
-
-### `ActionState` and `WorkflowState`
-
-Having 2 separate types helps decouple the Action and Workflow state machines. This ensures adding or removing states from Actions or Workflows will not impact the other.
-
 ## Implementation Plan
 
 1. All services that have unreleased changes will be released under a new version. This provides a baseline of functional services that can be used in the Tinkerbell Helm charts.
@@ -511,10 +592,6 @@ Having 2 separate types helps decouple the Action and Workflow state machines. T
 
 ## Future Work
 
-Introducing mechanisms to propagate `Reason` and `Message` values for action failure. As these mechanisms do not exist currently and will not be realized through this proposal, the `.Workflow.Status.Reason` and `.Workflow.Status.Message` will have minimal benefit to the end user. The separate proposal will address the contract between actions and Tink Worker that can be used to propogate a reason and message to workflows.
-
-Maintainers have informally discussed inverting the relationship between `Hardware` and Rufio CRDs. This is necessary for defining a precedent on how to extend Tinkerbell functionality without expanding the scope of core Tinkerbell CRDs.
-
-Introduction of user defined metadata to be served by Hegel that could facilitate user defined actions. Similarly, injection of additional `Hardware` data when templates are rendered will be addressed on a separate ad-hoc basis.
+Introducing mechanisms to propagate `Reason` and `Message` values for action failure. As these mechanisms do not exist currently and will not be realized through this proposal, the `.ActionStatus.Reason` and `.ActionStatus.Message` will have minimal benefit to the end user. A separate proposal will address the contract between actions and Tink Worker that can be used to propogate a reason and message to workflows.
 
-Separation of `Hardware.Instance` data into a separate CRD possibly owned by Hegel. Given the instance data is unused by the core Tinkerbell stack we anticipate, in conjunction with adjusting the relationship between Rufio and Tink CRDs, that instance metadata will be deprecated on this API and transitioned to a separate CRD.
+Separation of `Hardware.Instance` data into a separate CRD. Given the instance data is unused by the core Tinkerbell stack we anticipate, in conjunction with adjusting the relationship between Rufio and Tink CRDs, that instance metadata will be deprecated and transitioned to a separate CRD.
diff --git a/design/images/tinkerbell_crd_refactor/action_state.puml b/design/images/tinkerbell_crd_refactor/action_state.puml
index 1c3e0fa..38aed03 100644
--- a/design/images/tinkerbell_crd_refactor/action_state.puml
+++ b/design/images/tinkerbell_crd_refactor/action_state.puml
@@ -7,8 +7,4 @@ ActionStateRunning --> ActionStateFailed
 ActionStateSucceeded --> [*]
 ActionStateFailed --> [*]
 
-ActionStatePending : Action waiting to start
-ActionStateSucceeded : All actions completed\nsuccessfully
-ActionStateFailed : An action failed
-
 @enduml
\ No newline at end of file
diff --git a/design/images/tinkerbell_crd_refactor/action_state_machine.png b/design/images/tinkerbell_crd_refactor/action_state_machine.png
index a370c8c96361bc671dd90614a6b72e71252ea4ba..ca1cb70d998f48c817d322ccdd187bcfbab3ec48 100644
GIT binary patch
literal 12057
zcmch7cT|(jw!W1bdJRffO6UOu1VOq$q(-C(1PIcLAc9h)MWideD7^`2kluUmAc#}}
zDbkyC@Hg>0=brD}d+u7lzpiV!Aj4$ddH3wu`+1(dUu&u>lMpcwUAS<8MCG1>_Js=<
zEy4dvf=gfo&P!MgesH@g>baUbI(gWkEnP1tqaDysP_AeT7BdePD_2*i+X4bkb|?qe
zr}lRI=8pChf)dxk3ar*hJ=cGZU$_XCaZe75R8wmaqz*iwJ7(VaOmn;B0kSF*x|9at
zgJcU|d&64xmBETiCCcyjbjkeX)wTtRCCSOC9?9m?B76TD5xLHcVN5umfJxvDGAVbd
z7fpgSjji#;tkZ7_0t)UNuHGNS=UJdW+so!EMynvTelfc@D+;sLpRli5{#MlpOzH5i
zG+blaxVXl^-z(jZ<(#U#)K+{$_3gKq6v-m2C<kGi3PbBpkAUt6zVg>!`jmHLb#&tb
zVwOW```yIp8)6TxPr0%is5)zUzrpVqHR1S(7ASekr*e5h-rH}>7`mU`LttVYP~ODC
zzHT|o`iiF3X@dSC-^kWi?v0T9?j+E-(uGn<1<Kei#(_<K^R0`K7Re$!sZEO)F7SD)
zD99q+$JgKaXd)NR+xbd+y!EU}zi%?fr+-Xm9UKs&4hy}e9!jV4icKD!NwJF$3l0v}
z&Rk{-DIiD>lB^7Th@@1$h7gG|gnVY3)%33l#=L&=*e>_yNnP@4<%<Kl?yimZQ(pDw
zrlgNk?(|EfEbZ3x?Iz!OQ8sK6KyD`Vj{cGyL5wUx8k~R?iN_ky#S)+iZF!WJm)F_T
zlPuw~7(~I2N5&LduQy$0pQMz5a>|9sop-;Jd^TEWxU{~0XY5M;!%uZjS7|RRqRDqQ
z8w2a>e}6Bdm+|&Qqi;5YvEy`m6M|4iN!kUd2+Y4iU^x5!wMiz;^9Y%9)5%=OTzD?>
zL*qK9fIviA20Tb|XVlP9KP~h%6(`&kiRUc&(YW^Zn8B7YUSt=`Mxa4qnE}*Y;PO2*
z`GMI)nY}L0<xTX3Jct}x6AJd898V7Om%3eZs*(#Cl0IbRNrT^${9b4T{<Q8d7D@&4
zFY!-IOx&JtH(U<U%23+2wFb|4Cc+RFXyRS(G<ylR;hhxawfODUt{9%9AV!!!`I!n4
z^AF`*h#3hJ6BFbTFjkB#FajDp>d!-wc))mn4G9te8~*L{zfWmo0rUU+SN=7{|1O&R
zKd$;`%K!a?=P197jwWhhrt^XMHp1o7xVX86K7@Y$4A0W;B-erloYEEQ65sbcKU#X;
z^->jUWMb0)XP8V{S{f@aE9;vJDK!WStn)g7ivznHC(HOuXVB<f_L(Kt(9qyDHEa3~
ztU-@j`I2{bazKaht=D@GM-w#zBbX&OH8r7{F&<JDhg-Aswt~E1fi`PvYp9rm(M+A!
zY>2eiafb!G0Hp_x0+FuCr4+$Lg8u%=i2w0jFw!&l<%@_#2f2X2Cs}_yRKi7YMArT-
zEefIVx%qi05zIfbEbr5&SMZgU6?*WAJVgBI3N`KouI((P_}GXfCMPHVTK&p-^QQd`
zN)`zT58$@?`uYz)8li%<q1v+tGd?q=wqHLy$R{Eq;(t{2Md3!9hRj)s<4j!)&qF3@
z&-kCJXz}>X`rqD1I}0-BhwLx1_qh4_jXzru%HXBLuPZq?@GH@-1*^A&T@w?W{7&bR
z2f=5F>()pXZ&Y7)6}fe*iQ&4fCe%%_P?uTaNx)RUM>~UB96y>t2kJI={A(2$W6izK
z`_X*<r#dsZ4s`!+9&)<sX*YLY*5m&7BUU2yXZuORPk+Y8$Df{hCh5M3jBK#ThTEyT
zxa@{AO7eDgfJoB!PO{qq&hy!0C{yL)#fuR`%%4Ahu6njPofqRURYgNX^DX^r?eR)}
zM7bZVrnXkhZfroy(0iwolaAkLOlwfE%l9(A`zxLpluP7eTJOv%&!Z=4?Q_T(%h{eD
z#O$t&@8RL0VhFAN6m(;<a(-b!)cf>MCrACAwAb@SzpL#L%wh&_0#D3?38^^t)+gvl
z!$Lznw_E9)v9CxOSDesNW+FY4pWeKC*BcFX-kp=;ZKHB~y7tAhhL;zcJf!*g`;buQ
zqj%4yp+aT~NfRYoBTY?mUy`Dt%=LP#6rULurPD_XJ>RoJd349}<+_f1cwpI8?jb&>
z`UtH@N3M3)7M_&{nRxs5t(gix)1BwkXOB<z*9B^}{Bm+~Hbw#_${htBRk?m|@Qp7s
z<pqZ$#N=`OGbhD;?)7Z*tNwVQ%V_Dt@BTqS1VvJr!#Ntv)bzrZp&QmlT)LW?FTF#8
z6~w$w*2{Cf`jRCumzisWsfk*DbVjAT*r<#%es0|wOp_ffDk5TPo13m2!9-tdN^PDC
znT-VAVlKRJe_gNwgjHiNaKBz0Y=qtUIbNEd3z@Qt|JKx-Bo@fGw=zO(c-I%WPog77
z35QN%S7ZQOP*eF+we!4^t82-$6QgyQ=w|J~d(|w}`}bReQZq9ZIHDSPp-?D38IwYS
z*tGlQS}oq0EVVfOV#}<YoQ!Ky`(x(u4g>;eW5WGX{tgn)HYTlyvr)yI8t<u%86@3!
z&)?mCy0Xw6*ZP5k2l!8-n4__`x3{~yc$cjRLq@BU_;QN4TMq@3&#CkFW%fttR7jbo
zfq_kSO#)*ZN{))zYj5!VofoI4r(19TdY4ObM8p{@UMKrk@$gn0e7jQNHwq!i8<C^S
zKlGFiXs@vLr3?mQNEvOs>sZ|0j*lBelMxeBjsD*07SO~a3TZWs5~x3=?AE*tGbpwU
z+Zr0lf0%<v@DmmM3jAau`C?35T!!FvlpbR2G3xMwQuy`Pq};H}mijgBMG+BX)92;&
zXT6>tI+CZm{W8sT;1KCH%bMuhqv4?rY1!FIVw&_{m;bS?&_~s7tTE;G6S~vEuU;u1
zY)lEwHK-|vUvE?^Dk`Fd$<wc|>IR#oJG-7xE=qH8Pk!Z6|0T5fvc@!Fa?&V+28EY~
zgb7hU-|ZC(^t#2%u_hdDX2Ih$@bcni1$1hD{pn73{FL2v4b+8e7kB(^qIzw#p~mN5
zbTET_)HF1xqvC#P;i{`J|E|aqIEQ-jSm(=v0^S<e!z~oAfMHpW9GZX*zVM{-@a?Bh
zj=#^(__Qz$fy8u9b&4v@!A|h@qk0e-=qXG$OjV&x(&hv#J_N~D;zATcI@4cB&F3%+
zAgvn|LQo={8!|DnXz?)khx~jYIpY$mH;b%~`;r^4Ut^+Z8xmiNU=Z!ngwEyZm75#Y
zxKrFg?XP{Co6@I`B~JRR32m5|nCR~A#-?A!C;iTskdQFPVp6l5Y6vm+UURv3FKCcV
zpCksAU6aQ+YE!y3etNXqN<Sw!kp<yBSQ+7wk}`59%zznpr^1uvp{t{X{_ud+Ahu;0
zJ#M4dp+P}+Z?RWKFiOToMX`I*xvh_v>gDO?4|?p~#><A>dA@h={(U|^J{o@QjhXrx
z&)>epv;xLPy1Kd#AC^B|)h%c@CTw-(IbKY1#GcN+VrG(Z7Zew#@7`VP73RhGJnl`r
zy6OeO+Y$(j&T|3c*9AX7gco|nH-3FJX-9oDsrPOVXQWq3s64f{AtvWJZ{>ohu7CZ+
z99wi5i5J8A6b<4XB2h%e5$)|Q4HuV?fOdcV_~^yK)H4)$fyYW-4kZ;;(dQ2zR5_wh
zVS@eyL_|9W2XxbhhK7<JI~K|1fwl=rx9lm!@(mHoGK7SLdVSs9RE}qRdwa>kkNa@f
z-t0L|Z@f^38qeV1pkw{ntx?BspIfo?Efi4bYcsv!Qrm~l@&4ms)6+H|fPwKqh~1p3
z78{j1Su6he^XF96Q>vJ>6MkXC268(Pfx+D+AN^|L6GrgKxHb`7zU1!)m_U;YvgKb+
z_VMw4n9YpNgIt4I=$%<a>g#*#ujywTNdD9fcoQTTeOCpUW@zl_<1kbANK1>=Xuc$1
zKel}k#Wp%NcDOv-+t-J=4;(`tU^D)7$k1#{d%H%8G^23E(eBd0+Bd4=Bom*r81PVl
zt#*pnx3;zbB&*%&;)xF#`SPXYh!!|{Dgbb}2{^0;EDV4b7-Rvz%^uhMK0oPfdGJ>d
z4~G*d|N8`496<Xs^{?MdRdv9GwEwi$zgBI;<(ZI;;peZ5i&4#Z*&;D0L+}bZ`ud%H
zi<gWlpWI|;_vgNk9*b>jQ<^RJ3o3R2_+(|p1~=0sHI&rDN!pp$cC-M6%gEn{vefL)
z@8Z1?rxP&l>FUCzX*aezcNm3HZc<BV5dX=Tq)a)$V0u>8O>XYjjQuLyTwGiN0*`T7
zUNL`!gM(uy9W$(@t6TQsz=1<B24JBAllu3<)SPpN+w)H<ulp-l3dGD}p{hzscz9K7
zVMDkS78n?aFn~30BOgALzfKe=moYe5@00RQhi$U@*{8}%fJnN(efwthuBz(xA}ofL
zmEqd8-JKn6@b4Wn8CeAK;l(h&Y?QY)v;}h)`hSl+|AB)4PahoQnpapTngOYONEjnK
z$rvc7rLAp-grd=C)vULy>2QK00fR!?#IaJ_xc6`*j3#z<brs46aO7`POArNC-r2b*
zH*{!7n-}1ixJCds2bVx#V=8Q5I3zZ4_wYbnq@u!m)y2|6pp%W*-rHLPQ3JtxN<u_r
zhJ&!7I(mBI?pvl2uOLvkLZPnkKLPKXPK$InE^UcIh+|}fQ~-n+NRyu>K8@*KfB@PN
zBmoEw9tp!0G=yI8LN{*c-n9aQQlc)sDpziK;QK?je*OBTsr2X(Bkq$K1%O{><lxHj
zoS*J$gegTuMHPFW9cN}{hAF^raB@11mvHm&tOELjKmr#!JwMs3c3W@yQJ<QM^XK~t
zZ%_AzHGq>DRz6t(Fesq}iD^Crv*H9y&gUa!K5N`2Zf$K<i{+i=ltp4Lcl7qQcKE#;
z_*vmRkB7N->cAg^didkX5ny;@XUWmv9_jg;lfatQb4OO#mBX>~5+{28V(&G<_4x<N
zee%)yFO&;zaGByiQEvKwq1<chrojOLS8!KQJ~1ij+1eONg<ltmblsTL=ZMmO(;mff
zpNN3KJ^FoQOw35_iv#sSSCCh7b316y)<+(ic-7D#g*<kCtgYEi{90Fzc&$ZxUA!U5
zC=YVY4^q6vJ_7I#@g3Tn<6Fd!EiH*sP6<II6EG<0SaEP#>SF{P0}#p-fQ$Bi4inSz
zihG|{3<mQ~GV37X1=9c_a9S?VFMjW_2(6f(taQ1h-NxS5(sRZj$Vipcg{4XHKF+)O
z+8v;Yi<j{TmX0ba#C6au3(uxK9s|d+cNlJZNK8zu<*2S6juOhCnX+#UHq&fd9?S?_
zc#yA~rd???{gKIbF|~);@kL0&Mf<K65W*ByRfBKpyYDS)?WL?wl-F-H5x;-`zUm<r
zh}E^OKZgKpHyigWx^PV2#tvx99+ifakmunRRM;}L2cOxKoPvTi_Lb}L-cSEa=53)8
zuFH`X+-Z8UvKNo}V3bpP>*X`)`#>C^C-vNeX>(D>Yf2qVx(L+n4F%KiAZTo@tQtl&
z6(gAL2wFCBwP`|CvnXRWrm7!C_klYRxRBy=4o#w@v9u}Y^T_Kp6LXwy$?uo>?Fn*_
zlL8kOz}MZdz*}fD9Vn@;l7+>M=TiXWre|afzS%pL7_B*&egTVtiHg#&`@MZjnSj76
zwy?0cF6B;+o_3!n*;6X=jN^YKxC1z*GQRs-QM=$2xv`uO0)HS3m)7maMeOzg3U5*~
zZx3&+2W+I)^XRi)DN0dGOAFwD?*4u<GBRb4FeUR6dQ$v5RPEv4E?P3r;VY%XS+4r{
z_*{oSFW4IDc*8#9ePWNQEGwhEHuD*+mQ-zjep86UGME+XB;@7}NUE=|ue<eZQy>l*
zSff)XSkeYNi$XW}2;`C_GP+3^Z+|)UlwD(5w&P-^rR6C2y%1-T3ZbSAY2+~RKDrs3
zhKDS%>}8nE0s@PA0{p7&Kv=7AeF9X|!$X3onF7-q;B|gDAE8K>$`jn>zW?p9mzS5;
z1^F0&HJ$wzV^B8bz4e*-kc?Iv8ynZ=z(MjhRoqUVqSwYtiB)RsC(3qorKF?)+Y6__
zH@^Mk2Z3>LSXikhwCRd+xi&RbSjI$%;DM~lY`Bv1+XxT*A6L7B-syj0>k$`BYtUTo
z6`P^n|Avjn_BXlQy?FhGRH2$?TZlkikOZ-A_%$*0WNb+uM5o$*RxLXi5XnE_mFn4i
zCud3~$iaC$=5sBt-$6RMx|-BpkukUJd`5TkA~8;^ItPht>OX-XP_6*I1ZZYM0_{x_
z9veHm7WXt9e3do*h{C~F03{xslZ$IPn(Z7drDXK1jN~)sLr@4#rmHyY>iY+~-uf4I
zU1MOPP#XLfb~P+l!(mr1(|=&s$o~bqZW-6yOEZLIc>NQ*UPYTK?2g-hdb&RT3*7i7
zHE|{9^Go_;%22%xz&_mFE4C=xbZcT|(f1zx4Zk}66TdRC7yb|YT53>e9M=$?252CV
z-m<c?niRW$36eG?oEqm^L%O@VfKXB9Fcti3j3+JLL2<@&mn2r^bgS7Pp9~Kl-`r!m
z#sky3wFv@^X|0Cz(GL)4H~~SZbjg|J<oJEMBvbu#^_J(M6T&TkI6t0heX5#H9+tea
zo&mW~J7*Hw$}$Ra018@tAAq%?2bhS6{!EpqJ>A8nCH7|^Llk)ep#5ydiw>_bG3Whr
zn2-<!PyUAw7I5e&fpAc2Dhs$5&PW*?hF$tQhL!m57&iP+7Gta^Y}vCsr0VJ_vPfap
zKFWjVte~WnPCshO#Y*a;S-r7dsG_1W=fy=n2~yp*z;U5!R@0>)Xzy}9pH74jq=lAO
z@B7jcey`WrudhMH8?LVbOw4rWYi<&FnQ92Q<mD)aBF9zdv*V}DJByA^9|{VjUhEeP
zO1^XDX}YICubO(}!vNo>a+z|+nUA@-4JO@WREAF950pOx&=+;*#Xf+Vm|-6Ov5mT&
zpTjxkOkzIgr+~HYZ_fM%SUKwtgp5B8kd%`0{F1Bnsb+`B(n3^J)V?n8511Vy{V$aI
z7xYZU>4WGBI8F_MJM#@>BkW-Q8IUF|0BHZ9)W0U+q`|-c7C#2=>%Xw+->2fB?O#&`
zi}E0bX(uJda}0K4Sl`zGn+AieB6W2?Csjg#Ue(#rVG1H?S$a{C)?p#b9K&^K&x)$5
zMBGeruFG?#k6lPc3-p`+C@eq<7(ca!%u$1@A;iNIf`hurdwZ@uzTXy--_h{sO1W>n
zJVJoM*x1<2%o}bJIoYYHsWmmponVl#P&X+)z9WP|T~%NI8wmIbZAeUQVUhRQ^FGbw
z@cH(L?u921nuKNm3oN;S3_(BlnfW#`PG;fdwOG-HhG$k)G0bUlQ8R=so}Zmi{=5d*
zlgq^T)5>R?#z40MiMY79cu?u-)2BUpFnLO#k}WPQWC84=`VwrN6biSPZwn*MWBirA
z4~TEJDxL@lLy*2IntVQkiJ6(X)L^~Aiwg#8l13ttSczN+n>7OigQu6*?(QyQ9VaZN
ztG_>D$qnXzFAgXq0T_(gb^bSJuYpiNO6uU?U^%P_RR~s4R&H-=Q(c*tU(*K3NoFt;
z9`vJu`wk$kHqY+L)6yTdw6+d1Ao1Ri1C1{Jl8C6Niqj1CAuB5@aBDjbu==GKRT_Hw
zv4H`WZ+E`fl-AYNDJm-3@xuJY>G$MiWa^KPpTFLG{NTX|7S-I<)iq`TRBCz<MBxcN
z`tNxj7#MUVi2~_d(3B{2e~|2*RmzBsXq!TfZBiG@zETA`zoKI7=e`kt96lc24y^#p
ze=K5gaWOKIJWKm$=1EF?JXd4CKVi&lVo6Dff}-Nh8#ly%X|(`#R6$_??7K)J@@n+#
zrDsZt%F6QBYg$9PSjuY2zr$z7$sHi~)zvMF0Wsj9rlmbTI#M}`E!_7rCnO-y%tP84
z!TenX!K;85dhp-@znjs>$Ot?kl<aE;{GPJ5vGGQem~5jz7S9oq1;5v>X<|ZVQnBx$
zS0NN#?yd#>p*3hz8o!>Cl~sBA<^vLTJ#Vj`R~}9NbLV@b|M%~v2S*6mJS5)LtJ~bh
zV3!!+f*l?Ao>jZB3JD2`h(wP9vRLiQ3xL8DcDJRiZEh^#0us*}ADjYxy4o(cp<8@-
z;Hy`XCyd+R>&!%fY=VLV?*y(8MW{ZT-kj2cws=$1(VZM0@AzMy%}B4Qk;=XjBa6W8
zdueHjSL54fe^JwZ02qX*k$6Iv9Q{PD4BkZ?uF1gs=_NAEJON{9(p=UuFd(vZ%2q;0
z{$`u}TncC#risg@G_n6Y1K#0dWo=DJMy7#4Sa9`3#>Udp(kcOw_s0xbjsZ}H=La}I
zz&!PM2y345<vk=obiXnOygxJ~#GES^B6d?$G=^;4fi8%qV3u@dH47dj{l{fB@<-s*
z>*;xUgw6oHJjPA+D|eSB3Q9t7%ty%SKsV%`KK%uJsV_yQUsEq^D`Q|`VF7YAW_Aup
z{7;OgSWTm66=YEN(d0Z!vjDc#pz|{{^GD)mDu+IafbIEsQczO9jgD^7bY<b@=5B0k
z#Ce62sDXh28yg!XC8ay3_N&XpuP_)m7Ku@th0A2Z?z`jj#ms7R#i+&|u|DV|of900
z1e66lbZ>3CR+5V=C~nz~ge_Ej_nQwA<D#RjJ-4*fZdkTvNup3)Q4ya8#0bi-=d2H`
z*-p7cQtXt__ZXW^$jBXR7In(jG_0+Ge*bB<zq)EkKuQxzskkXd9%xwR9+H#6#mfsJ
zAQ-6DZ}#%edD|6v8?bC3E|AOM?js>Fv6_ks%Hn#E5&ze-XjLor>1{>yJ-_sHw#<wz
zQQ<>27%cdJ;GS<lKmZVSXN}{7gNaHgd}so@BCi0M@1Am?obSTnp}RC%jg3HKTW;0#
z;^(csz0;GK-+fq3C@G%&3@BUxbVr?+0D_@mS*B&!z<_26ahsP_Hb}D04svL5Z(X><
zWCaLuI3;cC?KNldrmW>607wA>ZweqhWe|#)H8nFciwt3EYf!7<ZaxQ8zP+^-dP_M)
z+DmZY`(!|u(+%)m^deS~4#s9plOUIYnnZnBS?snmi$S5=_FQZH>r_S8YaJ64N&SXd
zpyJ@{yv_5ehAn#@TqmI9HyC0v<y~Bg<<i`b7UEiO0VQf_i35;10%BsI2FS66Gu^oj
za=?sz94{=!X0pQhec|EpF`Na7G4C^tY#l2y#}zBA#IMfy{PuEk5;O>Np@KDE6cG{G
z@(UEcWU{4yg|Q$MfPIh6>DtahyBmFk;|>5vfWQy*kZ3z&`0$M+!dO@a7E5j@z{QnY
zP+-T_*AMC^q>Q&qY(_qS#G~@a29>QMMK!M528dfMpP{aiQP20P8_Nk+CWu8weqzf+
z9SgafTkWqvZKT$1o#FDz_>ZNf&GFK1-)0ia#9|9M&fQUEp6Lo_e`i;G^%Ut^uM;=r
zFoAgMzPE&n(Y{(lg`2w9?>sNTVh7H<OtU4lI9%Z_G{MEHVitfTx_Ji)3HMgQ8#Cd$
zpN#p=GMY32UMvRrseH!UW#6EHg@Xf6xIf$rR}x)2J@vL6&)EI;IK_UlVo*9^pz}*<
zF3`41^=&~^1ndJ1PoTk<upY{M`SPVQp$^a`0q>J69V#>|2M%Z`g7LB`3g=Amd;(|#
z<2mgO)u`G!(q;se$FGrx%)d<>rfaNcoolz-u2FFyuo@in4?!7e1DCW5o&r%v?mFxD
zKOB``|FgoWn6$L_V7j7iI~~#9&JKf&_h}x8UBCdQjeZ~%Un}frI<t1<<1c`S)K1l<
zwj!uxQ<N3I-HvA-TxN<3i$;l1h4QdVNL2R1!1+m<He6_|b9Q#l?h5MOtl8}Yh2inZ
z?7&ZEmqMSrJb3~Mffg=1@T~J$X49$(J{QOEkQ@~D{>nC(3NELA0>tPqUyvtU{t4On
zp>Nog6TjUQKC#P%OrZUKb%{UU<C3ccW}-88ZyX-h`5FYA*|^H}XM^u$q4)stg(nhy
zl>Zw`RfYi!j(@c+6zZ}(!0N0cSLEmCH<+QE!6sy0ceZc%Mf!2y_2%I>#)?FNW;;JR
z`|lh~stMGVn6(n=w1VW16-9#CWXUQ{4njI1k@&ky{dBQHRc&r91#l@(9iA{<8_P3r
zJmis}E?5UDW8$$NA5{kzI<y)hoHwWMsBkwk!h1tOxj=Wb!Zil9iV*w=QRB}7h?b33
z%waMpJX{I!D?Q>Lg&4V*Emsv4LXLE+&Ct+LfZkUaZ*)ETIfMof4Cu2~*mkBD5dXVE
zwEa@M5K?bYH3NmmW=oCtQrtBnZfkm{l22E@bjJyVJh-L{N&=#e(>1ta%9c~~S1S>v
zkXa}4h3IJN&;!9RgqoVL4)NVpV1$XLC-(MyU3Nez{xX|nVEsW`XSIl;WKWsdtK@M%
zlZ=dvou=JWo@q0@YHt4oj<RTOH2qY;wDV8?iQ7~K$TpxmQ<wxWbrVz#*fpu)<N`O>
z<$<(CW#>8B^!hYUJ-vABd7O#2tb96F4`P1`h^!fu1QQJ2iM_`4*UAXDPPQq@jx}&2
z`*1Z-8qlKWdkiWvOP~ip?~AOdY3h*yg1dQnHc8)FFE8&GeRpbSjz$W9fg@mjm1<UC
zYjeC^PAQ0Hb+;keiajgKVx<_=D+E>>ij$_M9Vf~PYiIy#M~DViAB10*@QX7uH|Mjv
zhZ-Z~4i-p@kH@caZVaNn3E*&^q);=KggdaTzqeP^fTGPhNLpRfvF<1v+mB<^ZCasr
zR}*|Yi~oH`;wGrG#oi>6Pp10Yw2!qgCl(Agn=|#lXJ4`8^*D~^!q*}Rbzy&_wBiPT
zDl$zNYJLGimlqdJOiWt(-eRaLK$AiA>$e!1#%!!z|NA?$k3t6!qM6u!C+sO}2XePG
zUK=ymELJ>(1!pA0(tZrW3PV{HjiWOyx<Vrx`Yt~HTY(mOjFqZD3&3DeJed$$z9Fd}
zJqf~KrqU{r|Lu5pKuRzqc`sII$#wvF6p#N_{5a&G$JCR{uB!=iWqNwr*w`3D!zk`_
z!4Y(MP%9_ReNivhyMLc#U*g7%7SBUh+s2E*@~RzjNZekkhLBm=qqe06Kl0ssX$oK7
zCB!*@vK-VQ#u^;MKhHu5$93i9gX2(FuyKIvG6x3*H5387#SF@ZoSZqSsTX(vnh%Mw
zDP?%^=~)B4^RMN>%aRWb3}8m{-|Btpk1z^cATRuX7i)wJmH2U`=zr8|zMBh|0x*k;
z4^H6gdqQ5ev7nLh%F#7zP_?(f2M|SyTu{&794oq<qddi<r(2_VjPoerEQoND=+mR&
z(FD^lxTmKl$Nj|2a=45Pvm~phC9b@LW4-Iaq8fL8A<fL#bafv*=mdQS6m3ssWo6IL
z&*vJvK~%wJI0b@2>HRs&ry+zS36YU67XW<R#z<*s^y8Xn%Da9(5CKXWf1&BEpuB*w
z@?XJe671~kS`gbRw{=*uXU`YE<Yp22)stVVIof&Hm!6cy@aKn04;c!-^c;g|4bsFl
zo)oYBZ=e(eD)X;#N09jma?mOAay-o2%*>{^O0uBZZWVz&mmj^=*g)1eRP9f~&Zbk|
zXk70-g{?U{v4`>S0FSfXi=~+gcJd~_67e=yuDoXYe6r4~Iz9c858tP(M>vb2vMfjE
zYw1nRgKbN+d8XOU$n>Xf4ELB?7H4B0ag2ffAP;ALH2Dil&<pb)8)0D0h0#JU_SY=t
z+Q5l?Q-=14<aA&8Q=$o=qWT{_E`NG=QsME0|4ZjgE~H!=b5rJpvJp+*Sp(Y}B*=Sh
z<E6Gxf${|ap#UJ=*TNI-{RwZZfCCB-O7<<0m7IVh5(PF%<5Kz~+!p|MtUsJ1#`N6j
z?Cu5%B{l*cZ>=6j_zqFJ0JI}0{2;k*+&-ug;nIc>%!6cU9|18N?zDkX&4LLCl;?oi
zeKCX_F@r-xpF#4#>zi8q2=JuOH#*Bi7qlFwu>DapnGAu<6O~B|mMV|kMZh3W(a*p$
zq6y#ilrMmCG!8DYRLRE{JgP3Mt2-CK2M>!yEPt^y1hVWIkaQtgwh?k5X)ND05gbnD
zqPnd=6bouO@nd?2QN=Bl>f9!t+gBOBvhGq?CJI~1aS~5x=Z|cFmBAeVnrD^IZ)uom
zG~X;R4kd!Lgr$$u!@~o#t+<_gD)=REG~Rmqgu~V5q022Xv3%qQq#2Zco&*a2kr5&N
zc03%=XfA3Z*S`A9;3>F0$UIi;CDAXkb7>L=ehQeWnQj1Bi>m3>ycan)XI9b&ig>s_
zno$<oqx6D;Pyp9&*pQSOfWKd%Pp$)ki~|WXa|%E;n5NlOngLqv>J2qCxtHK$rEFM?
zDyGTz$HGDyjjEa&Sf!aT_v1%W0)o4vaB5OnVEUsYz#jq4!VGHy+*^c^zuQA`1d9I{
zzb+?uWU2VqZ%0McdsofEwU|IrL;NPFaDeOR_M#;_DJnJ=V<ma2CW6HCxB(LUrAwFI
zMnxGK7|@eUyh%)4SzT2#(S&|{shdwiN*W#!@tDi*ido3E;$QWV3WEFh?*pdpb}~i&
z?3zhKM_5=Gj<eW|5|EIz9z_aAhclWC&>=D1m-Io3Z^JQt#-_J7)c_9ywTHhfvIi7M
zCIfarBu3p8Od4vy=UHPF8J9)GYbpKy*LPdQ5gBkR60<x3a-n0tu2fMg67Yj17Hp4!
ziK#Dwuy^>&mjJG94g;9~X;Mjv$h48^G#%L0=?Bsn*}o>2;CTT-=p+>h8<YocNgrHq
zP=6)Vs$<~^un`M~Rvr@c^PEzOu>qwlE+wTu8puV3vf#}#GYV%{R}HnaW-;x?4<6i%
z>RcuUeQ^;$O5eNwtQgPp;zL?GI^m0;gU$h*j+dvW`n%f;9PJ_Ot=mm8cF$q{dW1?)
z@zpASQKwM)2ixtvV5X4y)30Ti@5Bc+Zu02J@SKky`MJ0{9{8|SVX=ZNEH7nr6~M4U
z{z$q><@6FkQv~bI>~|#IPxpWn6PK)NR%hPRZ6wes$Y+^2zhc2c(@Q|KN$S@ONKtTJ
z;Z$y*1Dq3Q)-_oj9jd<mz7x+6fP;aoS`l$y1x*fub@wo|u*jm5GF$*CBNxC~G&eV!
zo14E|7)--n^Q2&42-c!Zis)hqPe^NE0D^(K(CEu4&}DWAVFkL2dw~${cz%;cZrN&h
z!r(EonM15;kRbWQQF3p@OBoF4IJADMrYG+gM;JiNzjf6oKd_7CZLtyp5t_+QOHc=J
zUN(3#n^r)CV3sM#?CkebXJH`qyaU_RYc7i5epUQEWNb_ichKs0wYA@-q@-jN_&)dd
z^8@@DcLd@jAd&&{t>oBMX01W%pcYvCXBY|;VI^iopeu~CPRRJ2*Gx0e6N&D$$L2xi
z3IM&{L)GFNx3;vncC^jU%|X1<G`Z-3ge5NYq|#`!C=oO*Mx4JPDtoye^t(wF=M*?g
zS6s3w9dB<}F2SohF0-Fta!#VZAJmom;X~6t;C}QrU<LuWrr^)F+ZZF<D;vLleW(e}
z<-7tKBWvVV;QLY9Y9Lj)lHmFI=~1IUzPaRe;9D&*+`POBWCvC_IIHW(34?WYcN1UR
z-ra3J4D<zhMYmsLU}`8}!TQfAs5e(;>g%x-=k#n~$zULGgVGn7xv9fv^LA36vPzdF
zb(F5zJp=;cvmFYI7NMK}2&j@6Jiru2)@L)6Bg*F3mg9xYUB%e!+(3&JC_q}~0;Aj(
z5ffWlT<o&=49Z+Y581E-(;=x#{VDBRS2ov&bNVA$<&C|M7C^-*xqk<UcRV^qMp92#
zkh9MfG&LhDj57uSQohN?W(MkS@z32~ywCtW8K5!*^mcze4qo1#;b9lhfJVisj?5pa
z5lRN#k#dTPtpI`rO3HpRs-&c$`Q`Kbz(>+;?Qo-dGk|mMyMP5~{h4{bTG-Li0WNug
z?9sr$0O+K|b+tM?Pnc)^efX-r-bY=%kJ;xG^+C_rn5hd?v?A;K)zReTi(u(^vt{)=
z2wyEc3@d2HvKRnPo^2}aSLFX*KyZ|ckFU3<XA&GF&=6diCkSm*rOyBK&nl;<rwcL<
zKFZL|H+ivM+IYKx;^biS>$@}%y#8vi6=5LZV5s^kAo!Wy?$VTFUEQxy!&rm`P^^uD
z`3%dJr_TuefepxR-AALdG_~`PfP^Mo1ZI0dK|!%S^=#(#Z+^ovJFGq}zY$k-3%U7t
zi8X`;)X+mH*p-%z$M+5n#6E?BeG%Q<<_}e-zYAQ84*PPt-rj7b7Ic<gM>|D>NY-SF
zYv3Ji)IfkIk6+yE22CE;%rz%bAYw7bABT5#MsW%~ZtO_U&0RM6eH?d4S#J)I#Iu}7
zGZu;}-cd1KEG2CTxX#|48VK%^{g4r+R(s#odiPJKs@nTA&=V~8_de%);lJ^Z%x-nP
UdD(#vn$$0-D5@)blr#1Fe=H8Yl>h($

literal 13184
zcmdsei93}4`|mT834?57DTGw^Ewl(tgk<0MEN#|gO@t9r$dVAU?^{&%U1+gysq9Iz
z?>lks>GS#i&iP&EoIl{4uFFL;^E}V{eZTMJ^?Kd+Jk?NBq{1G<A_zjIboGiBf}r%^
zr;`i~uLP#wGJ{{dF7gI0HyrLgu)B5J1yQ_p_m-1|%dMLnmJc|rTwLx+3Jc$}v$*Tx
zYHufW!@-_b<N_<)LEc)&z~w)$BPh6y`zu`yQ}y>EI4_5{2lv<;Zjxkbz9T)flENv#
zdBj~)ZpJNEwK6)tjCsGt{%Eqp=EJqb-izW*EN@Flu7`Ko%!>Rdoop`CV1DzYX7r&f
z>!k)dU0xlAH*RDT@w$BB^E97^7%`SlfBATP2v{4EKay|E{wC6;`D-{%A%$u0-sMCN
zs+5&c>5h|~>>?Ud9>Nhtdm0~%L%tjGhQ;81>lGYzv(I`$Wtx0ZuIZbWll-h5iqtOT
z9F>RCB_$8)gf`!Z0uCkf@bo{IJq81pZ(^=5yzOXpLMaSp;&}p66doF~_uO*!9^2PB
zX`|AR*1<O`D<d5#qD$IsrJHu*?C4Ey`f8h&&A3O~`$FD~Bp1%UX0$tVwt=ne`B1Oy
zu69Pz_4aYa(y`pP)lQeQzZp~!CZ~#D{Xws8#@CB1p5R0f(FUa}mv!6+<`X=1bbjr8
ztg+3>c|h(k6%ibCr9<@03#|sO%%@7nai-2E8z-!k#c3Gi+34hzx-~iQSNy}DKjNYb
zQlg-s`uU2iDdL_*Ag<b9vc<5K(bT*1hxGiY_`5q|l$2ucHaAyEZQtE78?8y|^d6P&
ztaiv6MG(47`XB`1fiuJ)NHYAwAqW9Y(8<Zo4GIg}TwP_k<h}P&^v0C1>f&f!-P^Zx
z0f#V%sPp1T&HP~5#q;Mwx*MYfjTeS0{2o0*6V9{mM{=tl@1=`8t;#1Xtmt?dg%4Wp
ze0kpSgkYGgADZC)@{-T~%YJ<8!QN^o&p96CiEmq5n`i;Igam^;Dco7abHk1cCvxKh
zC5{b;<R`LwZ&`%A>8j+x^B@N23=Itx_zC^;C|Oi}<@Y+Dx^8T;t0qAM)(k7}qCqr}
zB84SM8Z4qkYKE0X;d?kF$cX<Tf3Jari|gv@!otpo>?b57EQ@i%)1S4pTs!0=u($rz
zEUi2l;gB_m;Y2UjS@)iHIf}+0%jd9Nj?6fu-sjDmH<vl_C<F_S`1>$076uIW|Ncv`
z8v+`36PNS)HKPWhKMVF~$t5K8Iysr3k7{mie){w&&k3+qY-Ob+cGusZL=cmnmDTHF
zZ!Z`G#yxRoZ)+Jh|KP!cS7@2tIk7lqQA-jmDHa*eN>6XfJo*;-ld;7v>B6I`A%_sX
zM@huCKi{J9arccR={+UX@#DvN7<rJZ0dsS97cX9nAAM6+*4fe``v#A~^NCAHsJ=QM
z!G~5sb#!!ylQzSlkkc|T{hpe-x_rrP&LBhUDcToJDAvgPa^ph?Cnn^$bX=w;2b?zR
zj~_qM3E|;1I1CO+zY446P0q|bERVt<PqhpTp2)(+slOJQ5$|$S>>|Nc_UqljQhPXP
z1_lNVMC1jmr_$lfnKLb|tzYVQD%|Fc)YLjA+vBN^OYt-;%A^qVmX>}ruFrn`{rfkU
z-4*f+39lD3lw*>Sdb3q(a`FntpND1Thrm?ar%owlNg^2LoxQBB!oosD|Es>MzdPB_
z-vd)0P=BFb-iyJ3{l0(yu7PZg?p`WBIQ6O4Yd5`19*gTbV_a%?S&GKj*SAkCx?_8!
z>b^RbE#opuunwc5to$yOWwV*dY_3P8@Olj^E9;2Y=J3XVQ)i;|*L=gqOlc{pp`oEG
z4k#_cln*-!Q;ffMttE<IKY!}A*N*@ug%D=PsV>e6ll`?`_4_k@yxiPb!wfXXj#a{L
zyZH%1UN$y-I1cL*TwDdSuTNp5cIV#Nc|h=|6WZg?IVZ_jDU4QDvpb4OFm&Y#8VH9S
zmktUIeGKkotBb#W{W$N~eA#H`^kA8TuvzWHdIIXt&bo1l4TFTs_cN{0f~)K6?Vmm+
zmrV60Cv)7@zP~V(qQ1Mic<JV+@MkRN+!jX?v=QUHX2GFK*I;{#uH?(b7$ftKp=^3O
zFR9sO{L$&5uETGQu*szeZ*q3_6IJbp3i9%rY_-ZULZYIgcCpsInd{TNfz?Hp%|Y9%
zzk64HcO?9@jDNr1er{CCV=X%`kKe0_m(ZWeR#G0&9L#ioejv&%Av$_;Vc~TJ#ukMo
zp!3yHa)C#@eka_2_39PR#C5NA-MH=H`=grQ-pwGQ7Vk;0SA_^wuCp7<AK81?zU1j!
zM->>C^{jzg@a{7SnS5fjwX&M(P79R5EZt3ktm-y1Ki^(s{&fhALoj$$rWO*g@a@fw
zI~}hoY`?y)y1&@drk$mxd2`^~Hx;YQ`->xK3eS3|Cc!MdmhorpQ>P)%#$^gF)gI~7
zLKYdFoSm&b;Iylai9yU$KS6~Gg%qqM-os_OeNjnC={@RIWTag0V%<S)H<m|0AbtAJ
z?xq|{1HqZ!#%Lr|JOA#ue*Jo7>nz0>#CL94p-IJauXL@P?9x#_OxIfSWxt0HAAVEh
z<>hr}A})AR6M1v<^YhoHRj-Z97RH-{?{p^qI=;Are(64)5wo*C%S1~{^eJOwW8bg7
zJEcV~(^@<Frz6{;icEZp5LYE7-bI5z9xL_WZE$e#!b6YT)?ZE@&$U^J2X6ViJxRt(
zvLN+ny@iFv+^E={4$7lv{3qAu2RFwW{AxVb$8pIO(e;cov$OgIM!#leuAwEpc3fhF
zO!I{Xj}cEy1@(TY#<MIxKct3BoCG@^6cqIM@#E6P9f;POfoY0ivc%nUFv!Zu!2w;>
zEOz?U;(Lfx%Xa)DyN^H7ig>=0r%r8eZJob(@e&lO))?W!+}yX7+J8-q?}6n*wIS}}
zZ{{Qx0S&^0L8XiJ$#9YV{e2C@28EPBaUd28_#pAGzcm9cA^t@y9sjv_nm0K=KOauM
zx~|QEmf~oT;+V+EGX^wp8FL|lish_}&E)$43c(SD<>lpuhK8X!#xuCENsE_jWF=?s
zMynpJIRPJC;sM)`f~R<_eCAd{#c|!S5^PlMj6df9x%qur+|qd|d-e=PcUDfh(5|V*
zt};it(##Ud#Z1bhCqCEH`=be$vF2%Otmp5ULy&^Q*Z3UBY<3S<-ItS<RR}w-+U^et
zn>XrOuJGEzaFt@%@t+@_85dhc?1afJcdeX^_|X{Hi|&-(d^Ne{gHBt!r{S6~n=O3d
zLaf_zn9rUcxLn<Vw1`Of>GARL+a0gA`?S@mj!U`2U5p0rNF4L!vioU%xsrwH{4LdN
zk6-iis)-p1j{^f&?_S&L<MFT-p6xH_HKhgH4WuI#CTe9mUS3{!JfXil!DY4k6@>1c
z+qZj$BNGx#H8jS?$7M60JbNbXIPSj__Q$?wWw_GS`0dTlU?N_B$@>c?1_qyG=$JDU
zS97Mu#_BU6D=4?-U$2SF^x0ch#8USAmetiA7(3KNB_=NX{3%DFqo?OIcqfqap}#$=
zz}5Rd(OLQAY>52a^3RXf@_Z^Is^qT*=+&i`+r&CG_96>i^@(2elK~$lgC(!@`%-s5
zN<E@p#?o)&+u$I@SN{qm@Ad0`R)^oai*;G<$pID3?uygh{x&D(`s<v3ACVRbq&zx4
zH>a|yBwfradAvP9Sy|cI0(+>Sk><Rtt0yI6dWGW;?S6l>`%GVs&cNehUKjOexTRk)
zW~HSWhcJX_hVU0JniM|q*njx&;jv|y4av+X>AXd!g&eN_7*11Db4an6`3{Y5N5usp
zvs#taoQmbo+(})k>hw5G2?+^s_uu_BUb}9VmM3%#Znwu}Tqq6vfwh7Yieq7txusfa
z_gz+5>xRwd!mx?9^6Yu43liYrR`iuz6rC?c(;|<MlamvlXjtc6<BLtcBSB%lz!j@<
z+t${$98G3JR=qJ`tHbX7D@uRrO{d3n#x;j4SNtm<2;g&5sael2LCFYx`qWwx!z^PE
zKKUU)-7vVXPsfJ0$T8gI+^w;k5_uG}A+r@fK0`}W+HHQIB&trXMAe4+-QDe+L=|ca
zJ%+E92j!xB;tpLwLD))1NDVEM+PaT&hfJss4)bw{h!pu8>~krEBrBl)%uY;PnZItd
z74J}+;*%q&+6!T3B5~bW#X=RcbUdX}`Y=V$Q27$?tgPqq`g#Uk=4rqFOiC$<5qj}(
z2!qQgt-ysje*M??Hk&r)2bEAmw%m_nVwl>~tHLv<y)!%`&_8?CFG)L1Tvbpw+&)xl
z&(hx3(vq8(*IRix=kOrFkIGI+P~R>VP|Iv3>tfG4j+5j)EjnZXRZ=yQ>|0in&;Er!
zyB}B_x-1hD6U9~6F~jo|tQLc$6g>mw^}M#;k&0h-sW0s<4La0iG(t>?*xFd%ZK>D(
zDSh}*in6){Ef2oOq|RGfQ1Dq5H&3yYlvMHE7i()Sl{E%lKR!HTp<oo?;Ob(vdG*fW
zU3POvVw;O??!oyzHCNa5wpg*81$@%R!muaA$k1(!!gRNXw35WqQ+n>VK9_c;xQxz-
zi@z{7?@pB;j!Q|76T5T7tMdNh^@9JlL_YJmZ*TIMxm8})tK?Sk%BelOFMmi$MJ2sX
zgU}~xNhuISRry<d6=T39JNxJCM?e;?F%F70Ha6dS!(@Zq(uE@w#>kA*n;RY#pS}Bu
zw|6DqhO3D8kb3(Q`s(|O$9eH<W#<4V0esrt-u@K*TUE4lqu~+Bw=xIzZ44l+TYx%r
z8Wr1Sy)W6!`(dWJgoVTUgabTTup&<aso5X<`xl+l!mqsoYEtieh_0dxpj|c7Ns444
z4v(JR-W<2yzCIERl30n9kS$%u=f8-F>0PgJnSP$WV8c`YvdoX=tld>*<=!?Xq`$Sq
z_N$YV(^-cRRwky+t>qgz!<`z0<@rZ1Uf|A-wH+}}=qd?*@+A4TkD=lB!n%FF_KQcc
zi0rp--;!zmzo8WWD@THoN33;7yN<p-1rL5!8|vX3K=Aq+8ufVuC<jeVS8%jAq)Elp
zlr6wZR`yXe8jNmTSz5{{4_1#5^WJk0+NiFUQbQ$qZ5&k%VHQObX~eR&mX>8Nr6FNo
zYmb^u^2O<FPQrVj0w-Te*!CA$G(v7UzMqazQ&Zz8fB?w4xs?L#YhQ#MeCO7!6oX`h
zgCQ<1?zGygs|=`2<j$QtaekI?z5kQoU}qPX^ey&_Zuwd{SA2no7-fH%5xwyt98Ii+
zy*xBPS3;MT?rGt#UL^}c1Hnu$Ese%$XlwhW0(-u~D<E(M$YOo!HsoYJe*Q4l3v{%!
zDH=R(22v3b5f|?-s9e2T?lyl+h#iN7{LV`9zIN@}K=lJ>1%(d)&inM5?~i)LL`Rnb
zfCVr&t|f~~{$c|7qVX}+=)=`#11+CBJE@Nx`4DqN1F^yYHd~v}4-VMb@yI<gcIOF@
z7qSek2OD#SCFNFDRvh5S2!_D;sij5Ib>@Xph=wV0flLFT83!^0IN4_Tc~a5=RDdyA
zITRtOsi_GTm@ThrV8ARSjziq7?Chjmro!*-Rd0<4o5oFl$@>b40RXsNrNKH_!P(h%
zv;FubZ`N&i@|dq>T5};{=KdpqmP;X=H(J23Crh2(sR3%VYC55-s|x}o?t~ekEufVO
zgV+P+8@AjFM<;r17@n<pusW%hAjuomq9;G*M@k*C_3247NwQe;ug7S@StwiuT6ic*
zykh{E=SJbf1pro6&FZ|phRPikLs=~jgp5nuzJ5K&#pTz}CSs1)(4Z-6V7z4G_{O;G
zZg&>I5O#5^E=YRTzHArW$dWJ#yh7)22!IOg%I8RKC}{B~!o9>T-uqv0o-CT4nX!4>
zI8x*Jy{<P?HBC>h&ijvEzJaLE{==QAp$g~653f|&I==abIOqz+WMyPjR8{pV0=@MG
z0AS9C0n`f6*LAw*S58*qH6^7VGIV<Qvb)1F`&&2SYCYEZyoz0C_2guFbdW_$P$yhY
zj*N`hz46>!SfA=X1aOBy&aed34A|4F!~>uG)g;~tN*#o$ZF6xnE6gA@@dx{~vB0@=
zF`1il-y7K!fC!`j+I(5fxisRrs5xi<{cUsge?$FK8W<_}CG(aSya4VX;Ysa&`u;sO
zZrm>JQQZw3zSr+C)ynd+1-oV=$s+8bix$hVzuoDxG4sV1Y+U9rn(6cB&!643X=ljk
zKyrH1%Hc8r)5;h7QJ-&$-EL#P;B->8(75afarH_#kq0X`nV6Us%mQRDbAGH%<>%vj
zTUM6k!+S(bOw8JHwARb+&2(>8Z%`bHm65SOH;jZaudvXp#3m{)Z}#~qWwj)k;S6P_
z_DOPpxr7ZJd~mi7pV;I9yUfFvbNAM!G>IsCQWO7?9!TrGAMdB8rXYfju%7Sg@89?r
z&vP(f{ttNG#*u+|?YJg^_8%|~Q2oC$@L1j6yn|2hi^DFN<wF_>Uhsbtdj138|DylD
zmlE&xf5rPxA`>p&zjg(+Si37kbh+XS9&1()9#l;IJQygk1<`@{n6Au}6iykL>ucEa
z4_4BzWxNN!N2t>gI^S}JB5)KFD;{LY`BzI6<Ha9kHhg@1baZt0Qc{rQ7zh?ETf=<p
zw{pjyKR<>!MiF1k%sd?+%h|Hk`RNmnpkVW<$7no7-<K}|fq}tu8F)uWM<=H<LP9u%
zvIGwR%*u!aNT?=XlukoKQ~(;!Z$tvi(s@w2v32R*7~ak8tPl@mtIHW$5oD0IA+51X
zd!!4u-5o0LZtyiVGb>z7gKB#A?AhzU(tvBZOaPcH4}}axPenzQlam7h-2Ko$AmD<e
zqyqfAk1H0wbLTg395MkpQkB4GwjcmTmN7|5OH)u#Ty(E1RvZwPo_8dNP*Qv3=f{8z
zFmzK5^BA}&gu)?hhf9iUs;k@9GZQvu=jRh*W1muhv?GSsbyQSTT&=as%gb|ibiDkY
z8iz>6J$`&Rs0NtxJ9hHsy7+jOk-f{PWVwjeU(vmrYA!CtNlENye8Al=^Wd<;!otBj
zHLB+3$rU5l&^&mfiQm7q=?TYvME8rNOyWQKoP!lvYnqzQPfb~o7a}ga{QO+!zV!Ex
zpSg^xKPi6pY-Lr|$L40kIojKI?)1{0FawqBG$#iK$NBT$-j7yp@9vTwK0N+~0}@Xx
zR6hp?ht@@>z|e3$v`caMO|aKF9lj`))9<2_hIIAytIEr}%uLSnAjOAlN(S271<#%P
z8WdWQoQ!PC!e`6+U2on@|H9^`qw~T<=;JRxG(KK~2j}hW-T!S?XqPtPl#dVCMVb53
zrP1Nxgkxwuk39(E=+8GlF@a(mvCQ>|{fFk>#S0fqYabqE!eNmDg3Ufi0^?Jz#yL8b
z6%~dKriZb}Z4Lne0Un;K;#ofz7ujiO2(4HQ;&)X=Wo>N@*L&mLn>U)`QO6+nL_dE{
zr?0QCyvu1mXz_<4Dk|y+og50!qsFrz929irft!FCnJ@-aGIee3$gr@m@^`ZgSb01i
z@xB7({y4C5dG_NjZlFuZAHW8?PV@6C-z-Eh$1bX=sYQREg+$QicP+!o(J`Xqn`cHw
z2IIHQqr}%F_GyadPjYi>2iG6-*@bN3_F;6?EYAMM1jS|4n2#4qX_e}NE-L#3;UOmv
zz7ogCSXo(lt)kVG_<o(z_Cn0(o2O2lq7x1TN8ux_KIV@;83>M1*=v49K_S%#E;0i5
zFf%hd`B}89jt0k3kt?kAtHk^dg+;g%4}Pz&udk~nl*zoZC?;*ng&9jD_Uzd+0PV4{
zu{_x8FRq<h2}njnAyFM;WestnF<+ng0vZPoDG%PC<5Yir(DSM)Pj7D-02DL~pnCr>
zseSmpqvJ^7;S^*U3g_6wguehsqmrsBWLkF#GRzZH?sjmkFo!k`4(HEKdl_X(aE%IZ
z5|K?<SXj80K?hQ&fhb7kdeSFeJ^*#s&Bf))AuP5?Plt~|!b&t+&zPtOovHTPJqyn)
zs`bbRt?~<61809yQgQ$gMqL&GEl|^vD?!RDH2<Wq&_P9ovIT`LGAVZ256AS?7O~U*
z$N(X!!quCFCH}()g$-ee{b}zn1x$oe4HJ`)7_<f<Kvtbw3t_>i6zEk|Rx&a&rWy>e
zWoS)LPd|lYs2>LpI*G9xETt;Y)Arj311X>6;4t4>`a!`Y6cQTR&q^C|jEpZT$cEHC
ze)xJaoI*WatcV5r3mVkUOtl0LP&l%)d3=0);%{dw5UP_m<l#fvj98IFB_$;wiCCf*
zp(ub(<YVp8ldg0Xdxmyrhv~g~ND3kr4uH@GMG0C}F2%#$`7)lPk?(hydOYSpOg(n$
z5XMCu8}PoPBNS8j?wzxm+L7EeHa`=guY0r+{rc|^>=XxxtB<Kz6rv8w%g>YeD85%X
zF@7Bj6-o=~2}~v&36OrES6~!y-}|=jcv36V&Qx01l+jo#nkQM#+R7??<q07g08MIG
z7`1A?aam~Y4R^LKJq)n5KY(x|+UJn|L#BoHgQd+MKIrM_JlVRNnW+a^)X*??a#8rv
zqel=dW)FTb<YH7}&tOCy($R0<y_-JX0{LE8SpU%M1eBHw7cPJdB;&r6Y+$AWxk<}D
z$?IU{Yu$d-P)uy>1^WSUQc}`5v4>mts%h;?(8pySmV5u%+1q>QA8y4F)+<5eIZsA0
zZ$Iuoq2-#Jp9j+0o-P8yCwx2soju7;N9XkO1C{@?t*h$l>esH(EpOr=?-$l=48R^L
zswuUQ5wcQQ)Y`w=ckz>`f3$D>P}zCujVzVe@rj8hJ`8Z^E8kdhkzD@qZDEg<l@-{E
zyiXcHb?MC^XE!&u(9lpaPd^;K3^Q;*X92)LYinf%6c|9TpJ>H(P#}}P$sT+$zy+dS
zc7A@f&q1v`n}NAGheWPwO^{N>{l!F=4`*`n^5n`+2=b4CQfX~%9qk-;`s7Ke?TN?)
zBCyrJd-wG(R^xxv^BXg|Dpb7nbG#v+Bt?}sNbAsAT3WA7Dl9K_W`i208YiApRJ63W
zy_%<2An80wiR-HE`lY6-Dxtr`HQN;OoqZ3>kzmll+x_P<^#PY+D0A5klxfP??c}2)
zrvl27SvnQ+E!~bwd*ImEhL;<{^67gm%r^oVc*cT-YdJ6iX0;}pY5xJa+7eEHzh3b!
zjMT8u(Vg*Fn*s$^>y&Jc&P@D+-3|MJEduHg>`76VGS{U@a4Oyh82hc(==H@>pHJbO
zEa&ddjnrIZB0iE6ct|xm+_eW){PIsjA!4I%&}XdzT^50*7XCt$8V_CPeSdQL$+p<W
zOemt(u{EBXZ+&<trbhqO+1gcg$-TsWIbFcm>*(kJ!vKZF;LdgQsx=p`(V=#GvO7)D
z)YR14&qRvlP0+8d1}wf`DUkEk9}70@){j8;{gs$HjR_DEcfmsh`NpaiYtzVz%gVkE
zJ*jUi8}*JK<Y4)&J^Ik&o~DSfNqKm?!(R!VH24meUc_7C$|J~b`WOVF4df)DPo<tD
z1K3JUNr_gkK1Vyt$^-IhoH5PI&svJ)T5Z{yX(W?OI9%7BX_eb_?Vy+?!)HFkkee;6
zc8)qv6Ztt?SeL0dRczhs&v0*LLMblucgSQVT5OuOV2{n_Jb7E^=g%qIMEU$KaW^*^
z%&iT%3oOA!3aDt5Kaq6D{IR%&<$z=aiQq#fP)x&H@yTPqarf3|baMr|vf}txI`VUK
zQ)8i~8hLh~t9$)Al(nhGPbWtQbjcgbc1?UeI)qa<6aLbx{ZG(7Ac@}m%d2kmu90{^
zo5rZ*B1MFZ!(ZRnTK>6My{ZQ2O;wdj_cl)l6!Q+5mCenp%!W5NK2CjC%gEoB?E3mO
zW`BKoc^k+Bu+Qfa5h)In0H>j^Q+ao|GMGs?QQ9-w(_}XOphsC4aJ=w|6XRVea;2rE
zaf=%v2J(-vMgIBpK^7k2to``&v*P07E}*pazeYypsQEPzHu0Ea=Ut|{eznFpzZd!k
z({F>1Lo+v>+=*m&>R(~0s<(|h(fx#!l*y=y$2FqPf2Ow$6lBl|{X9KZJ1#j-wuN)b
zS>1+shQ8XjJbmGXnPYE)NEpn?%`RwDYV&K2HPbuXhW3ep@@X<KfvY%4HcxA7D>z2I
zahFa>f0?D1*B@9%2}$S0Rk-!7TesHqZ7Hf(t%v_A|A$8sj=jO+%sH_@?BjvgX{$?1
zxG#-ChskL*M$lM6_o^wzK>zQ}*J~&c*rRfJ)fz7$F501HUC+ZqvV<|GU(e7mhh-zK
zS1*PfT97<rKG>;rl&5;8lC?E&d)TvQ3>pN9+mG;|?{6ic?d<K<_d!6D(0{|tMnXc;
z7AFym1JThN3i6H9WJI1(Lxu7%>AmrAtloFcJd4jO7+dr~1#|^G%7fwF-j*YFcx%hu
z)tQl8)!E+j`v1HPy9JGN-nmitpU>#I)!aQide%UwKD8&=HFM@NrEYyshBB9L)6(W<
zOep%adSct|v-(u|;7SR48XA#19jrp%?RM6ti?PNE&I53P1_hE0Jwfm!Oljo>mR~Es
zTG1C|S@mB0-6Wz9(v$}B`V4WwCb#}!Izn{Nz#yExezM(LCuB-nKJMk~<dE64!$9|p
zYOjLvA<SGI9lPTSg&k9Cy5`==i@!`wX8w?o=Jpao*HZI4dx3U6#L73}JRy^Eb1h8M
z$B$5goDXa^zMtU5SVj4r#}SMOCH-ikm}%3;)9<UUp%LzgrI`wociyjlu=*j4UHIXd
z_ZL_WA34z{#BbxxSCrnb_}E3J(fG*enSYj2eia(3xINM%tjr?j_2AhOp2MP7P&+#}
zy4ijN&K!fBw$PpS5$F=5pi%n%jU>ThDRL`-9mVy|ozgLpk&X62g3%EX%X9BKdoJ5}
z1my|>HJ=cU>)fH}l^vaud%p{OKE-ctwC>UuZD>ZB`TTK}T!H-Kz1++c7u?-HH#cXs
zSX@t3Gbw_~R*w!liCD8s072|}FaNytmy2T0v*R>0c%iNkQaN05;U&glT5l{CYhq&Z
z=?oArZnalk1E&Q?Asw7jj%Jl|50|Y0OdJppF!UPex7?36|28#mcP3o?D3khyH$0U6
zlG<Q8+w}3o+U`J-4f%`)m&qSLF3(C{yr{k8Fj`v!KXC~v(#uWs6EE(MJopXjRA%$}
zKPBI`L+)O9SsVuN9ZOSr6$FaZsZ{f1YwRIL!4EYQU2|ap_x;(2u_9&dAc+_yCjPeD
z-yHQ(w@{*R4%Te)-dp}SGwL%}0TgwkTdY$`ZaJqg&1$64%Fzrr^Sd)C3mCq7Z!NKT
z8cn0t8UhK)xD8qpvm!CMbhuO_?u^3KqXkYPu7B;r;S%xu`EvtmY({&Rz3LaEyZH0a
zxEN%oSR}iI#+pB)^`LZO@3u6VvRQ~5;4PlWRE_^u2h~5tXWF{jbMx--Lh1wR#w9OJ
ze!plHRn=PuJKNiiTx?cRhjoAEq%1d5U&^MMdZ>`csxqud1*!s>Y5GyI+b%tvoSY4K
z%+&1P&7v?xz8?(b5;!A2Lo^%f5GpIgoO0XV-MwDy_R*91@nY*ejD~4KbbdjBE=$*T
zh~9;lm0-VQwry~jDQiUrxqg&Vu*)|xc?CXVqk@5$KBMYZ!Q?%?A-k?F!Pu^^f44N(
z|2xq?ZZJPPJK6Q0R)vJW&3<)YN*;1H(rDUcLMQL*tImHPNi5S++3OLt9e0Xb8v4BY
zUYeqI-l|CwHdLijc70#thOKqdE7>Af7K$4mbBk)Bp!Lp;xhK5D>>}Kwa(3W;Ffoka
zG?M^TcDLo{3v9I7x7%x7Oa&Fq<+QxK{9OAuDf>f?d;%%;@$l!+S7>yo`xCtZ0MdL|
zv;YiS??ui}I5y)V`Rms&pf9*rV7E%+uCIS>06z4NA8*$Glvl)hoSbDa^zPXo&2497
zBO<W(oSaVFu(l88<8(>1Ga&Qw%C$-buOFfHCN`ne55+Yq(0m!X{ZHHB^IN<8WvJ>-
zRb3__yoA(HUSbcyj;Sx`_KyP0q6Krga3*rM&l%hIqcPAqCff435lt~-{~P9beqUEQ
z*7Kjmtn%SGX0O<a{&*+iFi!4w_qZfQ!TnA~SWv9b>62Z54?rjD%jS^-&_XL)DdgfU
zT^UjC)QwNPrmq_fNO)545Nc_kfvvBAt@Tl8LvHl+@wk`gmi_$_=|L<@b#`=dxj9~%
zO&heN+z|S~<r2vh;eIn)4)P<P-s?Xf9SG5BHW#jj@rc~gBHEy2Lg?eysrV8`>=>Wb
zdqeJ>9%*+`<?*L?<p{?o(WIGYd&%TslIaSDInnj~t~|BA&)FN}Pl1cs_`@L1OEVO7
z+E@}@Q-zlVIG6qPQH&C@5ib=P&x+6=GL1J#MjJ)_eedM*mA~%+91Cm8K@N$D_GK;(
zkYGjpp&7BDNI#=@J7J1KYV~v?8Bcwx0#B-?x~eKe3YxO537&NY1;a7w%E~`C26OZ2
z+g+#y+g`e-Huo18ON?R+I>_YbP~T5un0tOb=FFSwuoI<~H9zfe`Y_J?4VD8sgqA_t
zVDhJqq?uuEo%`i~`!t(I%(=*j(7Ei(%@S%?=b`(X7Q}cTT`hfYs-rK4tf5MAIJPpD
z8LilyhvX&#gRmWnO_cG9(*uRu7p<ZQECBd%@nFQ<U|E>T&1$rJ)zC}eg1UC)GxYk6
znzM_(a`!W9uaJ#M&vf*)H_@EuyN<~>t%{E3{OP2s2-8J<Xq9$A$vHuxpXQi>Wbh2R
z3;U;F$L5{n%!-yLZ;-W3%nSP6533d{seNo;fEF^XY;v7kUGzDKk2Amqps^wnAbh9u
zr7SF#;H#YX_qGp_9+|45dCW&BYo+pP_z)k)DH2&$MmZwA(qWf|exek4T65Lk$jWnL
zZo0pK<taIK>gDF6o2WjF$~6xU4`3A9+S;?YBKyI!!}il|6)D2s+*d_OZm(=ar}X!J
z4qRv}<tM}`6*HHpSr6-*dFehn*8<0xEx2JEDCdf*JhgPa9tRC6?eAKr^tb4i_zB}0
ztMSI|OwZ#?@520o^SawcJ1fQ6k%yEcvFMsxOA8VAGo#UKY*7Ss_WtO*JL(&P-HPm9
zCmRL>j(-AFSr<!glX>@B5hwHuH(wtr82>L0nMtt&;FFOe$qWUePFzHCVJnpn%n5ky
zuwHZvxhcn)e$=jdo4H!-0X?VtX7-{;F^=P&4%!SWWKcwq5G^k}d9oRzb#`XPTZ}(F
zh1d|AYCl2`!e&2P>f;u{6DJ<U{Q&?`x4)C;+uTt|F!SCH5J=4-dJG^r;GWi#pCY)3
zy742MzB#VHTdICaQ|;MzpV^4$HmABu$a%xg#hPFNuXa(b#b;Yo;B69`n7folNujYz
z?43+LONDhuUCUS;8E^kMmhd^A=y!4+`!q6qM2$v533Szy*+{Nv)QcBSwuG`ihNzrQ
z`;9`^GGMo+vy!qOoQ_~NU#AeF*S1krwBdQW#h5jd5+85;(Pz|R9m_%Vn8EhMt>m4K
zx$o~TZBNkWG#@}FgSh$n?Hf=3ZoFDMz*hk?w<niTbBd-gKGSTh_vV8S@F;ux0t1Hy
zkZr-NKmeL5ma!brRVEH*k%Vl`9Ke_egX11OjDg6=$e;~H>p3tqpzrj(NDVxELXmax
z020g&2>(xa*WE!B1T`l?;88Uj4nI`=KulD08DJ13?I$O=iu}b5JXW~5xfQQmdAR;X
zf4sKf=lJ-|GqL5f=h+I7g<mZ|tYP+u4P)ddn^N@do$<Td&yI#!0H*|KqV*)`{d-v^
zrWgPN{`YtJ5oT53&1q>|3(DHsMn>0`&GhshLnBNe6#Dk(&Yc^%%Yv`Ex4m);9_V!`
zgj9ndU#yv>o)mgtCzEh3D)9isARa8FAo3$eHda>~&*{zwS61{|q$9GZeqR%z&CSg~
z%mA%}!y=4{;dpW8Y*H|kde`t~LCKBgpceXNYK#FrNNu2cZOt1Eaz>uOkYS6i&CJXI
zm@@Y*#b+qqatDqKgMj8yMcx8f3JOh}LU>ZrA}DG&7@Df&<>Na+!4dW4i4(E&S4UjT
z%x9QEl=ZZ=RmUA*Fc^3Ve-c__<yBQb6QVh@zu55QO-$T`TXOKFrlom3d`LOHZrD<E
zo$&tsdkvfhfs7o$93^Gb=HO29a}b)Zq8_1}9tQ7jZ_9(2$m32<MJ2Cy3dgbk_%)nU
zWmVrPQBg;jqqX9>j2h2+{kr4J7m!gH<QpPlW2Yx4Z*MGz67}h#(HgE>Pa+Z$o(Zd_
zAfJ6l9GE9A6Aks;dq=4vhBJ3N?JNoA>M>B*W@h->B}JMql^oF1(>t=@QO^}pG_DpE
zibkWa{tjh<ZpFbLnW3*=^(99G;Zf}g7tcvavGM}q-!i+pwY?odc9M<`#t!rJ3l;X{
zP-6!c70X&vwgR9H4i2*L;-T4ReLND=^v6RbM<<m@ga?@lICW%lax!RT?(N&RAdPiV
z!0fC)4?jPPgw2aBk5*nGA<&(f?@?h9!N#3q{DOiE?ML6p;F?_&pl2!A#|RjK?xR@b
zdV0w9df2Tb^ck*neP!Nt6i=Wab{~vX-QCM|5BzI$az4Wv4iV>o-6xzXqK;^_tfL<X
zlVOmbDSQM_l_d_-v5B!gxN(C^2nM7E240m`HZ{C_$()XW@IP$ME7yNUij$3-P0#}c
zin%9bVXnx}0ta~|;Mq?%{ea_Xr)cHC%%8x8hR5qq4Yaf#1!JH+fiFRV=dBA%OZ%If
zPf1I&#gK!xf0Ca+_(Xe;%|Jer2n?iBfQ}srHou|i_3RA}AM%_8LkQ)Pl6sXIYS~G5
zL_sJfjfsN?aS_k|cv<;8<#Sps0&KRsh|(koFLoRP4v&TTueJ}+$obphpcA@q!SHls
z3h|<s^d4x?QQh|R9p`41qOJufLqA<i+t^rH{b#5OyO59&sJu;hbAS&xgK-Xr7LBTN
zeYQ3>T@-Ljfg@f|{p_u|ro5*=9Y!mwsVVr%q3XwBe$o)n@7UGZ**QgJb8EM#gCbpI
z1a$U%h77HoFF%tZwjAwISa&1+RSKVj+u>-~U@$n7`-2CLDasbF;^J(Y+=!EirVDp`
z0259@{2~1)>AXW|^m&YcK~epaXT<rc{^2^G0|#a@N_ZE;lK!G(f;U7lgt>cQDnl>?
z8nWMtEF7wr6`Y*jl2wWYq6t<hA09wS^7gL1mNCvZ^H2LjNGKG?5&79@_ehcvs#vmM
zc5W^N2bM8FK`$VGMoptji-Cia)A#h$sAigirdX}6F$E>%tF!iTRP1XJw>Au+t+{0E
z>RJ*QNXqmY1P{CSkWiQQrPwcdOF{qA)6?_r#l}GDtp27T27VEu+vWc>CCH|1^(O5%
zH7}(rMN%GICk)_VO!F515tux1p<!dQ=k%gSphxp)bHvjDlsbWzx6Z`++CK2~>=jFT
zG}_$!3p!#~NuVd{8W|rCHSijvxxH^oOA8Ruot+(^Zi$IYeG0_!co6pX*9(2#93v6j
z2C|<d?a4?SjbFwun`vo{FD@Rev<kyK^;BMAt>vNU9y9Dd<fZTL?zH||0bM7xff|F*
zt^m(aOO)D%dI=MZ?`m&>gImV}e@r1xxtDGwiQYJzH$$PVt1JJ7!~jyk_z$S_Yj$6Q
zd~zvp3=GX5Kf=8K0gNu)dWP;m7fbz-?}k}^N{!v5nS(fI2=7dgoD~iQZNu0S{+&EW
zOsl2~_?!o{1#>J5zwc*pA23T7v13GUcP83jZA1~LA-=<OYl>W;__MLGF%gAJP>Sq6
z!_q-8NI_B%^Wm+X9d9T`Lv^!X3)#6o#YxzHd#-~4lgMCUqQAc#(1(QCx@NqY0SdH_
zo60>#I%fF4Uj<0X?%yesUn`(UMhHeQl!=TGhb|2$wiIA%&ksL<0hDmbPe)+RF}-_}
z#TV?L$>N*1S5Z-M0L|_4uq750@yh^uf3(7*n}jhb@I?R$l{j(oKQO0>?-6{&=t(8}
thaG0!70Va#5OAP}{QFf21kr0dKwVy35LrLPqzbPhO7dz~Udx(4`X3eV#)SX?


From 61ecf539731b7b283539ea9f65883dac76ff9ac5 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 28 Feb 2023 09:07:40 -0600
Subject: [PATCH 08/14] Add LastUpdated filelds and update MAC validation

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 54 +++++++++++++---------
 1 file changed, 31 insertions(+), 23 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index f205b30..21eaf9d 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -73,6 +73,7 @@ Users resort to Q&A in the Tinkerbell Slack to determine what fields are require
 - To change the existing relationship between Tink and Rufio.
 - To introduce additional object status data typically found on the `.Status` field.
 - To support new technologies such as IPv6.
+- To define new Kubernetes events.
 
 ## Proposal
 
@@ -83,6 +84,8 @@ The CRDs will be developed under a `v1alpha2` API version.
 #### `Hardware`
 
 ```go
+// +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".spec.clusterName",description="Cluster"
+
 // Hardware is a logical representation of a machine that can execute Workflows.
 type Hardware struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -212,8 +215,8 @@ type Instance struct {
 // NetworkInterfaces maps a MAC address to a NetworkInterface.
 type NetworkInterfaces map[MAC]NetworkInterface
 
-// MAC is a Media Access Control address.
-// +kubebuilder:validation:Pattern="^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$"
+// MAC is a Media Access Control address. MACs must use lower case letters.
+// +kubebuilder:validation:Pattern="^([0-9a-f]{2}:){5}([0-9a-f]{2})$"
 type MAC string
 
 // Nameserver is an IP or hostname.
@@ -375,6 +378,9 @@ type WorkflowStatus struct {
 	// started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
+	// LastUpdated is the observed time when State transitioned last.
+	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
+
 	// State describes the current state of the workflow. For the workflow to enter the 
 	// WorkflowStateSucceeded state all actions must be in ActionStateSucceeded. The Workflow will
 	// enter a WorkflowStateFailed if 1 or more Actions fails.
@@ -390,19 +396,21 @@ type ActionStatus struct {
 	Rendered Action `json:"rendered,omitempty"`
 
 	// StartedAt is the time the action was requested. Nil indicates the Action has not started.
-	StartedAt metav1.Time `json:"startedAt,omitempty"`
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// LastUpdated is the observed time when State transitioned last.
+	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
 
 	// State describes the current state of the action.
 	State ActionState `json:"state,omitempty"`
 
-	// Reason is a short CamelCase word or phrase describing why the Action entered
-	// ActionStateFailed. It is not relevant when the State field is not ActionStateFailed. 
-	Reason string `json:"reason,omitempty"`
+	// FailureReason is a short CamelCase word or phrase describing why the Action entered
+	// ActionStateFailed.
+	FailureReason string `json:"failureReason,omitempty"`
 
-	// Message is a free-form user friendly message describing why the Action entered the
-	// ActionStateFailed state. Typically, this is an elaboration on the Reason. It is not
-	// relevant when the State field is not ActionStateFailed.
-	Message string `json:"message,omitempty"`
+	// FailureMessage is a free-form user friendly message describing why the Action entered the
+	// ActionStateFailed state. Typically, this is an elaboration on the Reason.
+	FailureMessage string `json:"failureMessage,omitempty"`
 }
 
 // State describes the point in time state of a Workflow.
@@ -410,17 +418,17 @@ type WorkflowState string
 
 const (
 	// WorkflowStatePending indicates the workflow is in a pending state.
-	WorkflowStatePending   WorkflowState = "Pending"
+	WorkflowStatePending WorkflowState = "Pending"
 
 	// WorkflowStateRunning indicates the first Action has been requested and the Workflow is in
 	// progress.
-	WorkflowStateRunning   WorkflowState = "Running"
+	WorkflowStateRunning WorkflowState = "Running"
 
 	// WorkflowStateSucceeded indicates all Workflow actions have successfully completed.
 	WorkflowStateSucceeded WorkflowState = "Succeeded"
 
 	// WorkflowStateFailed indicates an Action entered a failure state.
-	WorkflowStateFailed    WorkflowState = "Failed"
+	WorkflowStateFailed WorkflowState = "Failed"
 )
 
 // ActionState describes a point in time state of an Action.
@@ -428,30 +436,30 @@ type ActionState string
 
 const (
 	// ActionStatePending indicates an Action is awaiting execution.
-	ActionStatePending      ActionState = "Pending"
+	ActionStatePending ActionState = "Pending"
 
 	// ActionStateRunning indicates an Action has begun execution.
-	ActionStateRunning      ActionState = "Running"
+	ActionStateRunning ActionState = "Running"
 
 	// ActionStateSucceeded indicates an Action completed execution successfully.
-	ActionStateSucceeded    ActionState = "Succeeded"
+	ActionStateSucceeded ActionState = "Succeeded"
 
 	// ActionStatFailed indicates an Action failed to execute. Users may inspect the associated
 	// Workflow resource to gain deeper insights into why the action failed.
-	ActionStateFailed       ActionState = "Failed"
+	ActionStateFailed ActionState = "Failed"
 )
 ```
 
-A `Started` condition will be used to indicate the workflow has started and is observed based on the presence of `Workflow.WorkflowStatus.StartedAt`. It's severity will be `ConditionSeverityInfo` and its default Status will be `ConditionStatusFalse`.
+A `Started` condition will be used to indicate the workflow has started and is observed based on the presence of `Workflow.WorkflowStatus.StartedAt`. It's severity will be `ConditionSeverityInfo` and its default status will be `ConditionStatusFalse`.
 
-A `Succeeded` condition will be used to indicate the workflow succeeded indicated by a status of `ConditionStatusTrue`. When an action fails, `Succeeded` will become `ConditionStatusFalse` with severity `ConditionSeverityError` and the `Reason` and `Message` will be propagated from the failed `ActionStatus`.
+A `Succeeded` condition will be used to indicate the workflow succeeded. It will default to `ConditionStatusUnknown`. It will become `ConditionStatusTrue` with `ConditionSeverityInfo` when `WorkflowStatus.State == WorkflowStateSucceeded`. When an action fails, it will become `ConditionStatusFalse` with severity `ConditionSeverityError`. Its `Reason` and `Message` will be propagated from the failed `ActionStatus.FailureReason` and `ActionStatus.FailureMessage`.
 
 #### Conditions
 
 The conditions data structure will only be available on the `Workflow` CRD but is designed to be applicable to other resources. It provides the foundational components for extensible observations about any resource that it resides on.
 
 ```go
-// ConditionType 
+// ConditionType identifies the type of condition.
 type ConditionType string
 
 // ConditionSeverity expresses the severity of a Condition Type failing.
@@ -461,8 +469,8 @@ const (
   // ConditionSeverityError indicates the condition should be treated as an error.
   ConditionSeverityError ConditionSeverity = "Error"
 
-  // ConditionSeverityWarning indicates the condition shouldbe investigated but the system may
-  // continue to work.
+  // ConditionSeverityWarning indicates the condition should be investigated but that everything
+  // may continue to function.
   ConditionSeverityWarning ConditionSeverity = "Warning"
 
   // ConditionSeverityInfo indicates the condition is informational only.
@@ -504,7 +512,7 @@ type Condition struct {
    // LastTransitionTime is the last time the condition transitioned from one status to another.
    LastTransitionTime metav1.Time `json:"lastTransitionTime"`
 
-   // Reason for the conditions last transition.
+   // Reason is a short CamelCase description for the conditions last transition.
    // +optional
    Reason string `json:"reason,omitempty"`
 

From 68cff61d87c686de3c82cf87bdf7e255ad10004e Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 28 Feb 2023 09:15:32 -0600
Subject: [PATCH 09/14] Expand condition descriptions

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 44 +++++++++++++++-------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 21eaf9d..d25bc4e 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -339,16 +339,6 @@ type Volume string
 #### `Workflow`
 
 ```go
-// Workflow describes a set of actions to be run on a specific Hardware. Workflows execute
-// once and should be considered ephemeral.
-type Workflow struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   WorkflowSpec `json:"spec,omitempty"`
-	Status WorkflowStatus `json:"status,omitempty"`
-}
-
 type WorkflowSpec struct {
 	// HardwareRef is a reference to a Hardware resource this workflow will execute on.
 	// If no namespace is specified the Workflow's namespace is assumed.
@@ -448,11 +438,39 @@ const (
 	// Workflow resource to gain deeper insights into why the action failed.
 	ActionStateFailed ActionState = "Failed"
 )
+
+// +kubebuilder:subresource:status
+
+// Workflow describes a set of actions to be run on a specific Hardware. Workflows execute
+// once and should be considered ephemeral.
+type Workflow struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   WorkflowSpec `json:"spec,omitempty"`
+	Status WorkflowStatus `json:"status,omitempty"`
+}
+
+type WorkflowList struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Items []Workflow `json:"items,omitempty"`
+}
 ```
 
-A `Started` condition will be used to indicate the workflow has started and is observed based on the presence of `Workflow.WorkflowStatus.StartedAt`. It's severity will be `ConditionSeverityInfo` and its default status will be `ConditionStatusFalse`.
+##### Workflow `Started` condition
+
+A `Started` condition will be used to indicate the workflow has started. Its default status will be `ConditionStatusFalse`. 
+
+When `Workflow.WorkflowStatus.StartedAt` is a non-nil value it transitions to `True`.
+
+##### Workflow `Succeeded` condition
+
+A `Succeeded` condition will be used to indicate the workflow succeeded.
+
+When `WorkflowStatus.State` transitions to `WorkflowStateSucceeded`, it will transition to a status and severity of `ConditionStatusTrue` and `ConditionSeverityInfo`. 
 
-A `Succeeded` condition will be used to indicate the workflow succeeded. It will default to `ConditionStatusUnknown`. It will become `ConditionStatusTrue` with `ConditionSeverityInfo` when `WorkflowStatus.State == WorkflowStateSucceeded`. When an action fails, it will become `ConditionStatusFalse` with severity `ConditionSeverityError`. Its `Reason` and `Message` will be propagated from the failed `ActionStatus.FailureReason` and `ActionStatus.FailureMessage`.
+When `WorkflowStatus.State` transitions to `WorkflowStateFailed`, it will transition to a status and severity of `ConditionStatusFalse` and `ConditionSeverityError`. Its `Reason` and `Message` will be propagated from the failed `ActionStatus.FailureReason` and `ActionStatus.FailureMessage`.
 
 #### Conditions
 
@@ -485,7 +503,7 @@ type ConditionStatus string
 
 const (
 	// ConditionStatusUnknown is the default status and indicates the condition cannot be
-	// evaluated to either ConditionStatusTrue or ConditionStatusFalse.
+	// evaluated as True or False.
 	ConditionStatusUnknown ConditionStatus = "Unknown"
 
 	// ConditionStatusTrue indicates the condition has been evaluated as true.

From bb91b1ff108a99715ada088e21916cdad28600c8 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 28 Feb 2023 09:56:11 -0600
Subject: [PATCH 10/14] Add printcolumn markers and List objects

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md    | 115 ++++++++++++------
 .../workflow_state_machine.png                | Bin 16265 -> 18521 bytes
 2 files changed, 75 insertions(+), 40 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index d25bc4e..9ad749e 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -84,16 +84,6 @@ The CRDs will be developed under a `v1alpha2` API version.
 #### `Hardware`
 
 ```go
-// +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".spec.clusterName",description="Cluster"
-
-// Hardware is a logical representation of a machine that can execute Workflows.
-type Hardware struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	HardwareSpec `json:"spec,omitempty"`
-}
-
 type HardwareSpec struct {
 	// NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface.
 	// +kubebuilder:validation:MinItems=1
@@ -228,9 +218,37 @@ type Nameserver string
 type Timeserver string
 
 // StorageDevice describes a storage device path that will be present in the OSIE.
-// StorageDevices must be valid linux paths.
+// StorageDevices must be valid Linux paths. They should not contain partitions.
+//
+// Good
+//   /dev/sda
+//   /dev/nvme0n1
+//
+// Bad (contains partitions)
+//   /dev/sda1
+//   /dev/nvme0n1p1
+//
+// Bad (invalid Linux path)
+//   \dev\sda
+//
 // +kubebuilder:validation:Pattern="^(/[^/ ]*)+/?$"
 type StorageDevice string
+
+// +kubebuilder:printcolumn:name="BMC",type="string",JSONPath=".spec.bmcRef",description="Baseboard management computer attached to the Hardware"
+
+// Hardware is a logical representation of a machine that can execute Workflows.
+type Hardware struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	HardwareSpec `json:"spec,omitempty"`
+}
+
+type HardwareList struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Items             []Hardware `json:"items"`
+}
 ```
 
 #### `OSIE`
@@ -238,6 +256,14 @@ type StorageDevice string
 `OSIE` is a new CRD. It enables re-use of OSIE URLs across `Hardware` instances.
 
 ```go
+type OSIESpec struct {
+	// KernelURL is a URL to a kernel image.
+	KernelURL string `json:"kernelUrl,omitempty"`
+
+	// InitrdURL is a URL to an initrd image.
+	InitrdURL string `json:"initrdUrl,omitempty"`
+}
+
 // OSIE describes an Operating System Installation Environment. It is used by Tinkerbell
 // to provision machines and should launch the Tink Worker component.
 type OSIE struct {
@@ -247,29 +273,16 @@ type OSIE struct {
 	Spec OSIESpec `json:"spec,omitempty"`
 }
 
-type OSIESpec struct {
-	// KernelURL is a URL to a kernel image.
-	KernelURL string `json:"kernelUrl,omitempty"`
-
-	// InitrdURL is a URL to an initrd image.
-	InitrdURL string `json:"initrdUrl,omitempty"`
+type OSIEList struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Items             []OSIESpec `json:"items"`
 }
 ```
 
 #### `Template`
 
 ```go
-// Template defines a set of actions to be run on a target machine. The template is rendered
-// prior to execution where it is exposed to Hardware and user defined data. Most fields within the
-// TemplateSpec may contain templates values excluding .TemplateSpec.Actions[].Name.
-// See https://pkg.go.dev/text/template for more details.
-type Template struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec TemplateSpec `json:"spec,omitempty"`
-}
-
 type TemplateSpec struct {
 	// Actions defines the set of actions to be run on a target machine. Actions are run sequentially
 	// in the order they are specified. At least 1 action must be specified. Names of actions
@@ -290,11 +303,11 @@ type TemplateSpec struct {
 
 // Action defines an individual action to be run on a target machine.
 type Action struct {
-	// Name is a unique name for the action. It cannot be a templated value.
-	Name string `json:"name,omitempty"`
+	// Name is a name for the action.
+	Name string `json:"name"`
 
 	// Image is an OCI image.
-	Image string `json:"image,omitempty"`
+	Image string `json:"image"`
 
 	// Cmd defines the command to use when launching the image.
 	// +optional
@@ -334,6 +347,22 @@ type Action struct {
 // See https://docs.docker.com/storage/volumes/ for additional details
 type Volume string
 
+// Template defines a set of actions to be run on a target machine. The template is rendered
+// prior to execution where it is exposed to Hardware and user defined data. Most fields within the
+// TemplateSpec may contain templates values excluding .TemplateSpec.Actions[].Name.
+// See https://pkg.go.dev/text/template for more details.
+type Template struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec TemplateSpec `json:"spec,omitempty"`
+}
+
+type TemplateList struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Items             []Template `json:"items"`
+}
 ```
 
 #### `Workflow`
@@ -362,14 +391,14 @@ type WorkflowSpec struct {
 
 type WorkflowStatus struct {
 	// Actions is a list of action states.
-	Actions []ActionStatus `json:"actions,omitempty"`
+	Actions []ActionStatus `json:"actions"`
 
 	// StartedAt is the time the first action was requested. Nil indicates the Workflow has not
 	// started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
-	// LastUpdated is the observed time when State transitioned last.
-	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
+	// LastTransition is the observed time when State transitioned last.
+	LastTransition *metav1.Time `json:"lastTransitioned,omitempty"`
 
 	// State describes the current state of the workflow. For the workflow to enter the 
 	// WorkflowStateSucceeded state all actions must be in ActionStateSucceeded. The Workflow will
@@ -377,7 +406,7 @@ type WorkflowStatus struct {
 	State WorkflowState `json:"state,omitempty"`
 
 	// Conditions details a set of observations about the Workflow.
-	Conditions Conditions
+	Conditions Conditions `json:"conditions"`
 }
 
 // ActionStatus describes status information about an action.
@@ -385,11 +414,14 @@ type ActionStatus struct {
 	// Rendered is the rendered action.
 	Rendered Action `json:"rendered,omitempty"`
 
+	// ID uniquely identifies the action status.
+	ID string `json:"id"`
+
 	// StartedAt is the time the action was requested. Nil indicates the Action has not started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
-	// LastUpdated is the observed time when State transitioned last.
-	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
+	// LastTransition is the observed time when State transitioned last.
+	LastTransition *metav1.Time `json:"lastTransitioned,omitempty"`
 
 	// State describes the current state of the action.
 	State ActionState `json:"state,omitempty"`
@@ -440,6 +472,9 @@ const (
 )
 
 // +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="State of the workflow such as Pending,Running etc"
+// +kubebuilder:printcolumn:name="Hardware",type="string",JSONPath=".spec.hardwareRef",description="Hardware object that runs the workflow"
+// +kubebuilder:printcolumn:name="Template",type="string",JSONPath=".spec.templateRef",description="Template to run on the associated Hardware"
 
 // Workflow describes a set of actions to be run on a specific Hardware. Workflows execute
 // once and should be considered ephemeral.
@@ -454,7 +489,7 @@ type Workflow struct {
 type WorkflowList struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Items []Workflow `json:"items,omitempty"`
+	Items             []Workflow `json:"items,omitempty"`
 }
 ```
 
@@ -527,8 +562,8 @@ type Condition struct {
    // +optional
    Severity ConditionSeverity `json:"severity,omitempty"`
 
-   // LastTransitionTime is the last time the condition transitioned from one status to another.
-   LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+   // LastTransition is the last time the condition transitioned from one status to another.
+   LastTransition *metav1.Time `json:"lastTransitionTime"`
 
    // Reason is a short CamelCase description for the conditions last transition.
    // +optional
diff --git a/design/images/tinkerbell_crd_refactor/workflow_state_machine.png b/design/images/tinkerbell_crd_refactor/workflow_state_machine.png
index e85b4c3f0a83815b2508fe402ba3f9008d8233f0..1ef909e94e98c5bbb6717f44093dc9767985a266 100644
GIT binary patch
literal 18521
zcmdVCc|4Wv+b)hm$XLsic?gS$O6GZ1#&t``JVqIlAynoiV<=@F!c9aXnHtPwC^8gE
z=9F2HVV|p>_q*SB@9(?!{^$3{?~mu>>0ax;?(4pW^E}SuIIb0Kpr=Vq$x2B?L`1Ev
zrDjA#L>veItsNqPE6+!-oQ6L_KI*1EcJ3bjZVrw<M4Ap)9lUIO9PGJl{kfcdd^}{t
z#5~+=uKHZN;wEb6eue&|G#j*V)dgqj^B>oVh@lz3^w>mmeG+lH@QH_uA@?;;UL+|o
zd`e3;mCNm>V)2svOulcOt6fctFXfkskJFFnwQekSpLLo^uRdWET9*9e-OQ<b0cU<<
zrq+@wX><IPNLIa8$ZY(`du4eZ-xR-)W<c5;DZ$)RWvj9(!X+@mn<!8?U}Dd8M?L#+
zxQXRlmuHNoOyG`|z_mM`nY$s@O8V*k1|!Sk8(Dk4bA|q`)8%R=IBP_O`eAyn=$#zi
z>7GW?M_u7l<NGC*7~3m9@-4Cy+Tzh5kF6dPrO`d+{SsnsJ8g{KU3!t)3e3P|wYP$o
zKMgSK&pju}J!EG1$*twy`MJ&G2G73bZ=U41HP~~KChduHb6rX5Ku3b8&@X4hWVwh1
z<RRZRt>3?S)(4H4AM2DQ9Cqqpysa5Kukw|wv5|6#RHZXkk;;)`ekENdIyiYA+sgdt
zuCkx51`ZR)7)*a5zhsx>>1IRnjRS#mOF|;;JxfGH8lKu}$~eE#?-~9Un8E#h@2;R;
zY7gz?qx9Uo&pdQ>bz68inOW5xw9OLn$DZ3<)xKJEKbr@yg}-f{|A->`kuCRa-Cr+N
zTKEkOw{HkN4lXaB{kSvZz4XcE`Rg%1`Tfu0UA0b*Jq@!RzvX{^Iu*aGdWf5`*UpVZ
z<q)ENh#QCD4nuju=ukYJN)gtUI9)L$co0Pz8yneWece7*pV+hYpMO^{GBV=Erh?F~
zd4K!x_~KK?XYLb?kBJ|hf9U(Qm0I#>4jLsLT6}fv#j_L9WtZw49UUucp?Q%ZW0JFH
z&n7$N(WChL4{}r^t4~l1?tgxDp!yixG9MKm?`|GoYim2~1D$we_xa^5jUp79c9Vf;
z9r1(*SGV3CswAdB)XyoasNC*HU%QUnBz)HzKGP_nEO$7-fZ`1h!aGoKL7UHBeq4Zm
zd>|$lhIcY0W+Tyo*J59eJOfuvUT&?;*7<%%`;A3KMR#f?;0FKpo}Ld<6y4EB1coi(
zJC3U79v4m)7aJFPU6zMl=xUQm+la##&-B;(drOk!pzvZvSQsq$5Jv4ko{sY1F!0&`
z@-g)6Pv>Bm|9lKX{^xFl{?Fb2^W*<{>pu<tU+?&j2LIc>oKCuX_ik2J`SWk(O?xsv
zbA4alMDEXq>}eL<M~u;LFRpzvF)?98)T53g@_x(Klg-h^#l^N=vB%EdzI{86O`6Aq
zijwjPUaz1+g^B52yu!9t$nR&aLu_npi;IgMYQvod;;#1nx$4^5+6(u}+ZP5)I0F|e
zn)de|qC9HGxaq~kotcO3_!H*UZp!;CryTE?j#at5KcX*p>*gFif?;RBRH(;Z%wcXc
zxYnzv=<<#a#V2@OzyvT&vR6!hjaSsz_w@EYQW6{-%&T#y&oU>ck@Ba_h3J+}x~GCl
z`!8^Mp(szj4?5ZyB)i>R>plDAu=cadgQ!jl_WIJey4d9pr6Up4$DZuIE6^=(*fe_+
zS--da?LwIa{h7lo5`27o%|k;qzTZb{Yio_H-uCt`eR%wFapY-*-1Q%ywl}^h?*00z
zr>AFQV<U6PtYT(1Gw|xx>U1s<c4@4x##95Ho}VxF#>mVrcZoICufNkhb9un|{iE}?
zwz-1dTdNM7oLR@uKfsk+vKJa!Sd<1EK6QNi;G_+SXp`<e(TU*Sk9GJ3cSfAD=1X)|
zP6zL94DIdy9xA=~)UGY=O$2owdPpc7h5dxodQC?~MZJElA`-Q~`TOV6{z@CCFoODg
zAALqn%kjLfF7NuQqjT3x=SH8Ew9oWO8_qng86Ry3{28*h#@T<tkT&2Km01098)r!N
zIZMmTnwsmd{^K|m<Hkjo-bGy25F|I>U0Ze>v7_zi=y-(<TYW{&IoBrfPWmVY^QEs(
zIUqoWN6qur&!vgT+sDpau5#|rJ>}H1I9&1dl`2jYh4DT>c6hk@%Eza@3c@{V6%6e1
z+FeDO`=_n>+2|cMzkj^``6cm%3m0H+jfyDccGutk639wV|Mc9`?jThZsfw!V?AwQt
zW#J8qJIe=TFh`G5mYY4JED_L4r_1n$c;Mw)zrXi8==Y|&V%U@X@5IE!!?{_4EU2`o
zC`}@}+_T`_fTLGOtL8gXgmbu?d5!MymY<i2%+rj|jexygSWpoC`zi|yi>;l3LBbBQ
zz%=;OsaJ7-=SY|HK{gzEv5-L(HIk!trlNBFP-;V>6_tpp(B7Dg7I>tWvAs}IZu{&)
zxn-2lGL!ieR!+`%y=$ve+J?-#EG6bOR|lJ9LlM4!VHi-ety_nSI}P3@9K}6zdH)Ck
zT~E67``+H(t}d$Z#2eA3tqCG(;a5IZe_t1)prEkjwH4heIc+(R#IGBM9u*eP$F{tu
z>rpAyLFjGs(Z;=PSD$0{XXnyPscC4+EE{B!vXhgKmOgs)$hQ2s3+ac)=8=eawz3t%
z8T^Zz<h0L{Y9vic5jN!k{m{#YMY99N#vUePFRn$xIuBTP-YrSU3O(eMo0~gDYQQZS
z5f;{d_Hw<THiAzn(nMqm6VuY7W3{j?3wVq$1QVS?H1OvS<#R^K+}%jIWdkfaJB$!F
z$w7Vn-o-^XK8dlq>+VBk8PAJL%dw?<upZmnxtJ35i;Hv$W=N?Rqh22DYTDg2pYBYl
z2!P4IhD6Kiz)pfj)#Z!UhO9zbG}zdgsKhVT`Cggr$$)@S*BX<AD=>}bMualSs%tI}
zQfjK1L^W5#?u0N{V2qjT&(qx9-e?J$mc9N%iJFJyX!cX?82ana>wM;KYiYVIeX3o9
zB`$)wYtkRvFL3Pa)f;;|{-rzvuS?criU)3Nue-RVowT`ay0N_MJX%#8yjd7R!z5<8
zI97Mo(!AKH00PAiSkqaNU)v2srSKUU>=t<|xv8R;%t}m7RFs-V*FU*&apm;n<Rq7Z
zn~#rAx|AmmqOMhp6okXWKGpj_mFvmxb`=#78Q71d%6$qER8y|XmVZ?L0C(YO?CViT
zAmRUew)k(;!G8qz|Hu|7{=CwkjPoC91M=O!%Q)sra(TlEsLv(?d~uDAp1#6;LO~rV
zC@4_Z(5Q@t=DPKRgB8}RZftq6BkG!(cG6;E@#obbN775l%D&N=WNA`CAQYH-cz9TU
zC8SWwwm5dzJ-T7akT1oIC(NvgDY%YB8X(QLnWa3qYz1XyWtk~MzJLD?>!jBa`duNy
zaOB9x8uy7EtMv4A1_p*<5$I}a%kJ-=V`F3LI8vGGKkl4xV}uUI@bd7ee6nhrSYGy!
zgwz?uZ)9pZH#c_(fn7w_<wghJp>o(>pEnrH*S<S^l+cc@r6mV0<>AAwM_lkMXBrN<
zb`36Ein{m8WDE5%$?l+bHlvl7zZJY^x>JNNWGVzb7`ug5szIMtSYl&hy1KhX_%IKt
zm_+&b`NPA)M64Rqc_oXmx?g^b)g2MgJEy1T$iy%6d7n|?SX(@&)7c!fJ8OlMl=M>L
zjkK{OW*$jNNh}us1%o*B_)%uQ2-v^|@)`=9Idg5K(qT~om*TJF*6W9Nw(rf9kB*LB
zJcCPN`H{D_cT@-y!z4DN7K%$LPLsUyAl&C>I2BV*+9^%Xp_++c*~<e(uR_To_UROu
zx+wPqPPHdOmW5$7&k!RaA+fcyd+Rj^LC1635$znf{vH;cbF;uR*da>|KQpTeyk~ph
z?d!c~<4kuaW5ig`T*i%FhAp?d__TMyJ@PyjL8rccJ;KNs!C_lu>T<Cm;M!xeXB>fA
zv8-pH5rm`R1$;Y&^R{Z0`@|k0n3p^#xlq2>A&?a{&1C79qZ!Zfs0uS4rLrfJgi5gV
z_xC&Xq>E499fg2O!!8pwy|c3e56OO$CFgJC#<G)8X*8It9%HZtNNOM^<wLcvuP^L)
z0@ApAdEvge-R6%mVP9^KhbL`RqR%*sL>OQ5@Gz~g4bRHrT#u#F*3rRwBj+ESo`0{e
zc%}edu7J_Bq0L3lHGiu0j{Tjlmnp}RNON04gqMT9BKntpj6E8>yB&3NYP#U2E`7yN
zLg*v?thmndOLdQOu^ZbP+UL%xWdL}6KXJysJt2-=c44U8`%r9)2YN_)x`&#A!cfR+
zQeFGlG>S#29bQ8QU1oerZiu9op&7E*bBC^sR#9}Fa_oliA>@?~@yKqYFGqFw+RiUe
zk^Rk&?ze8;+T7fXSKRZvCwgg$xaFgJ(+Mw`MfS5-)8j&KhlcjQq1S%<@a$5wK&DbS
zghRn><8Fi9_6SHc*wmr2OEE+qu+eNc-q0!@K6L2U-tQ&D*}A31l5*>*>LO|}7KIy9
z)oN;L>q`?&mJI<gFliDF_#E4zax2X%?YDDWnw_IY*O6yVy&P=odGQKHLShg2MMd?d
z2A<2zf4chV`K<<O*3(L^U(caP$?;;HdbF7}JJ9gJgQI7%Z}wl`{W0F4ix?u0-puI(
zkh@S~@)#R1_VU&N%{aFC#l<@}C`)p3a-jeBUQpv>nZ<1Z3(YYfYEJOber5Rf!I_6=
zT*>rvXuH_gr|((i>PALJ+DY^Clde#iz-YXHB+ZVnpqyeZ6O9dmr=0t^>TdvqFm3c-
zJDwkkK3SZZiTEzow6h8*F8|wTjeAx}iE9kw36nC5T0p68D?fkke-5REP0-NLV5lG~
zYhJ;;D(h$S>NaV6i}iPY-PE}fN(X}jWm*MtWo3F9GRs51mzorP<_wY*JwD&`spxwj
zxYQ8oyS%*oQdApRl{75=5_@)B35`>A|Ma~7{d;4}P<jIdmx2L^vetb{Uvc*|<FXj5
znX;ye&h3+hP?7NTwRdzV3#_lMGE9eTO*0i8WJoMoSpM=x<|o>?HFHc&__fIDK{}f#
zy&7C`2*d&v;V3mgN8u-%TUykof&|w9<l1ck78Ps!#e?To7=2<B8sJF&?)`g1=Bw|-
zA}BqNt9;5fF4UvDm5*h<vh!=jK-yCD>X+i=wn62_kJVS+NU-7WaXGh0cwO<kJp9Ba
z*Hl@V*sLP~J?bhIvR7YUOV`%nnvE7=A0ilq={W|ESgoHXrKYz?qsT~9-tkS#9%9SC
zm+fBTI@Hs5Lcp!!=~GugVUXbS!?e^9?1qzrL-cdE-<#j1I7MC>04i>;og#1Wo~6;l
zh#%V2(9{%0DcfT2++hQxt1H&PcUyMXw(j~;t7vml1_#N{XIIC}j4(&n28{K&W1xyu
zz?E5Aj*CDZ&=61T;E8)9aoM2$aakU=g|+!a3&cL`2PIf=k|pS`Uw${%gMxwpUWO^q
zn%f}uY?J2dp5M%-JV~x!|7r5rthlIie4Io4Q043Qh5Gl3U^^!gH3B?qA4{0z#w%-2
zoiDnvxi})j<Tcq$(abcdaX&7UuAXcBmOMQ%x8|vQtmiBZxBjmtHFfoQftxbdw~uxm
zV>oYQ#E_cEdh9Vazjbx35G_LSx!6RH=#TO|D#cb!3MTCA?CQjGWF@?samf?oDgi~g
zST|{}DXoTp4M=PTO)t=aZ?uOFIrnAX3JpDwq+H6g?{)2(`c_u(w)Vc+=Q9U=l0x&D
zoz`aF`gOpj%eU8gQOqY6@rm-hxb;h-mRFS9sF9Gn*6FRSt>xlhlO*Z#fs9P%Sj2{<
z_(e@k&2YG2(og6WWe(Q!E-B~FzCMGB(Q+%rjPk*R)6uu6goK19tE+y!Gf+o(6jf>#
z#~bSU?s6l=Lrt({#KTlRo#8y?csP|?q(k{@TfDxmuByp%zZKiX2WMPUhtGJ=oGU%f
z$M=$EBIqZ3>V*F+`@r!s8k+~f;-zuS;<->neQk}E4OpLpx};!P(-6T<Q%7suad^|h
zgH<bw{cJd0{UV1o`&uc_W>_Coc+n0kW5S3!GV&bNh-Kyfp&vacWc<h)367Bw5GV}U
z-{bj(UaH%y_g~Au6a*Rl!{dkbl3S_QzJ2(DOmZyWVL3I0CNUWo?~gun)$;iC=~MGU
z>IriL$9MVKwr7qX*I-5CO6dYpTCX_3GX15SAND4awtSn;Vo|uf{`Pl>74O8zY+xjF
zn5%ImCg&-Cc%XuhCVV0~yUO*Vj!Q|ImO_570c<{ORC9G~y6fIhk)f(l$_|1(!?he%
zDK96-rBm+;h#@#R3zj7=Ww1zx7m7vYHqoYu5ta*z5+Ay|&rLnVf8|TG(Oy-V;#Uz!
zZoV}&J>AkQRetBrVb3KCs)7^ou4<#^1_sM>vDJ=mSv~jT&|KJ&wimgI*d*PUkDh`7
zZH+y~8w2BT97f9!X|9aI<5xE~eLX$>XVRP!)-n}C_6#rQ!CeIU0*8Tb0nP9i>k+OI
z=me~t2Gr;G=<=3-{&a$z$c)fyAph_S(B>axNT3-A_l5oGfePVK42Z+F)A1v4wbB6@
zX+3qf>tISG=HZ@nE8#Idd05vFN3V<AA*K~Q#>riq(ygqV{T5{i%dQICBJmI{-A(Ig
z&Do2xQ|%qa-Zeght4$rf6FB-bn3`2A0Ujfwg?!lSw%>Z@EL8eyYD#6~4Spjl*CL`<
z{6o1#fz359CowTVIG4X<pA62KiB$R4q`WPb4{s`LkU}kY>LQ0jvZ?7xN5|^j{t&zu
zi$a@elUGVaO6ZZB7bV@t?=ZEtwJ}`|7OdJkmcLKvQe~Vw(PQWnLjksQZOXnj-e)zh
zGAOR1-fJTw<v_pO{?6K}^cd9{#iM5X)V3sA$i)KG?Q>cO$%$}kdFhLFD94I)>uTrV
zF_Ru3CJY!JZ*R?J>C!g!{W5UgJsSmYRC*IK(!z~Bx0$pKenu02uT@@D=ePHr>68+y
z=QQHt;_Y-Tybm@?-ub!2=b{h|jbP<SBM!Q~=S;*(SEuaR5p8`#QIT)6%w574nmmF$
zjsh_NFe&QzAUs4J=@2vE{rO{zFx~HOS@PNPOMm#?ZO=YHRU#*SF<3$dZvHsS{0&#;
z^<|ZwOzRsV>Oqe9QuXk(3rR8NpV9E9VSUv`mdGARhdA(vTGl`J{Hl?mpR=KG>S81V
z)v*At${l;3%v_6Vn2BPG>DSX}z(R4M0e9!;EFBArbX&ws^!!RVD}CPg;ZW#^&3fL;
z6KiQ51?tls9bSYRu{t;6D)gq!MA@d*i;9d=T6IrNlDLn(AVn&c43OjeFcQ+zX-&?;
zYgseNU%c;}h;4~sdK0=ROF+9)o|CZO=I=@5yJgwA83M;bzCS+fT7*620k58&&E<JL
zl@4QMY<%y8d8?=@lD4)d<JK~aFQPkkEXH{S0??uuE+x%Q*#36CyZU-ZcXzYX*Iz4N
z7mwpoNXHxiZ?3|g+GsOR#J56TNlHpmQBmRH;lanmjK~7A?<UX7%WF~fnN7fxkN+Hb
z>Lg}fEyBzDb*X9JF+LlOntu2HGh#1Fh=7Xza(87YqlhUTpB<DN!_R@7$<OCo%go_V
z51j{yzhM_Izxi__#25+Nxref`vwy5|`TASz;aT_A*4eC(U<j_GuCkj6nsWRZIy!+g
zsoE~)5hzb{HahM<o1t0y7(l;!({43CE;mua^H!?PQ8AtAa6(CLFqputs_=X9l#4VU
z-$CLFKu39ddjsz_2IT-$;-ALH_jb0{1W$TSHUpj<dTc(_(cuCqMFz>q1YRrWW=Y96
znAw)ru6ts?fBib`^6ucr6?Agac2{R=)&t1hA<MwWUsNqab~l7ClxfXM0zX4><oId$
z^ACZxm$Hz)PXLYYbj1dX3=dS;6S%iEAUih!BLmw81U6umqdm&)uiw81PHsB48{ijI
zIVVyv!u{_g_&I_AM#0;3qO2#aU%raW2ev2{h+)p4^~5R*U<GQ%1E?;oj5h=>cL4(-
zW?6qo42lnO(!PD5A$B^2%h?ozcYrIDA%6h0IjlNgU&$9i6OBO?)9`LruU>`X$_yy8
zv{O#Li^D6xd++Mxd%v{2e*L=7SC}aucM%}+Hh`XGa6nBS<JTts5^29bdH2p+74PiC
z;PKX{{kY}jcYzOOj3pAw4n9gKt#2J5&&Fv(HC}aJ+WS$F(`c0o(5%fQG>@$)^eUTE
z4R7Rh_7`JS_H>brg~7lDZs5G?b5SxHHbDnbD8x>ZZd(?6ot3g(7$}Ysdvara&TzdI
zcH)MGwoD|DO2pHNEYaVg2zb2!yto?6L5YyPErC=5RrgZO5P7#1qxvQ@VHGm;lk~(y
zVoz%ur~$Tx?&kuT1tVJ^F9YNV1x0oon(xp*k<gPZOU)to3w9|#isj)Uk!PbY14J8+
zPJaEm;?*q0itu;-DH|j6pAcy23~%#FdtigK9n=u1yL$V#qx4O`!m1i5!nWvCRh@H*
z*8`%g9#wM-r!fKg4UmQw`@7y={e8hm8ulcWh$l}@=AeMvtnIY4q8ibu6s@-N=g+He
zL5Upo9g4s=Sgg1T!c!KF$0sqhLqO5UPq4k#g2#9vq~zo=-wBWpsIe4hm$Y{r8L%U?
zklk6ueP#WwuCCwTYbF-Ie?LG%(!6<g;>J_pCSgWC6bp!p)3b{S2~oUQSzj+TD(D2B
z3>M<j!UF!t%^*-ks-Z@o2-&~X#4!K7rKKfGZFv>=H2ZUZ`80M(Rsebr4_EZUdNVw5
z`S-?<RYe0*Vp7EEKLTrvn^l_;c67jx+F1iPs1Ak&35;24s?c}BMC%wJK&1g^ZMRFH
z$mF)B?xsMRv256m5o`3@SU@V+#r5FD33c6=cj7=F0LgV|ZsBc)Yz-i6b{U_So9XFn
zw6yVU9JWqQ<Tmpccoang&b;F{Y=jM0sF(3hv8F)xUT*NNaLPU6f4H-SSIB9%VM5_L
z%*@0@{?>-qj8{-lD~WVd^2+E@exQWnbqEA!|1e><fx-a0jS`h0X+9Jl9==^mYl{aG
zd+uIS@UBdHIB6Jem5GN)NKmlPlmb#%E0mjEQ>&h=0P9vygzT(DG9SqCu9<_iJRq%|
zqI0_XPG|pPQh-UfP`6{QwH4<9DWNKNGcy(JS`Swr`1e8!FjW7GM)UtH;r!De(0II1
z3>q4y^jH!!GY-f#Ky()tp;c8??d@8U^uT0ob@cW|X6Da2=%D!c_%<(KtsX`JYsND-
zT)|tKoSrUHjD-T3iiU>fkFciuWw^rbEhmZj7cn^pC#OhKzMFrpQ%$xoS-FAA(v^C`
zMsTG@KTF{cb=JirE?xnI^4tBE{(f<8?ptpOUAg$FDP&@B5HUhv!kT$UDWE3~^z`)o
zWtU|AC_~=7c{9RAAknmJY`)ypSD-+kYGeI}XXA%Jj#5%m+8PsBKT&^we*@&|RndpH
zq1U<6e#>0PZW$mS+N?r$Q!+9dAcjLGjf{xs;g);_K@mbj4J;?%)s|KDkc($wx-@Y(
zoR*fBg~ca`f0WU0SD*rha@!MP4lL0r@=UZ+2b2f}|J5ldnWA@Vc@omo<!oLb3|`Vk
zE)p1~sQlqu!bgFDSNCg4<150JaLdWv*x%b-e1S>0eVb$$UjZ~6DM&d`{5;I4=4mrw
zGtodU$^dS^SZPmDC%j~SWuh^IKmc0s@bbdLZ8|M0Jife^_MQ>^u??(^CPZkz<<GFq
zijSV+xhw_cov$xUW{nHK>Opeyr?LhJqmH3rKTzX`gM0z;AP{bTjtA<GzJqrL)_A<u
zTeCEHrG*I^!d|&IH&*u($g`3rcFAH~aZ-G|zNsnm!OQ=aaoer`hj9Z=Cj{c>^lb7!
zM4N-<_nEg3rR}rON`vKj9Or|+|2LA2a`;0}Pnqjb8SJWa=g+ePT?N6UMfBj+$&!F;
zry1WA%ScJR{0(wik#QkS`nC1BelH^ewW<KR%qp`x>6=Pp10=N_utC}0N`{=j1WyLA
zmbNS_QBmjVR;@7|IAG!Fi95P<iSO~)mUEMz&r)Ddv8wYuuZ}Eie7k%9ev}O4`obpH
z_5^OozXRn~vvjO6UvTtZ`00cMI=0hta`m`E)XRmn{6$r49<2iH;!#`*f2H*+l8xRU
zJsGn7-ym{?O@mx`8Y0NbYskA50dsxai!#AGQmG*jd|$p)3Jm-W*`OZc5@?S`)C7pq
zKL6x8tSuQDN*WpsT1~z)?&I|WnSLY~8ENU9n|k7^8@#j(R#l-OVDb=ss<4YR-Cce|
z3qibbe=l%g>qp(vf-rOKiOX+vBWO9}PQaeg`a}ROFgTE1n6bXQ+t&snM3^6F+=(bU
zZ-p30)4Z^GL#FMU+d`BdkMdo^w?@ar97#J<W>`3e^Gz{5{H|@BjG8su##3F;V6s8+
z2FI`vtYF;WUv_P~Uz5|u9|SH)H9o$+8VccqeSLi}>$>b@EeXGYmS(#|a*LTkR7eU1
zy&crU&&BeAo9%xHHl2P=9UaOSr~khq*X{!cd*`OFDkGVzu2rTEdixG!WwKY=Uu+<(
zSo%+6D$?)X4ed-^(1{IoqyG@NzxxyNF8&fZ4O?HO?q!w~Tle}EG6vuDWk~t*^70km
zAlT$Ujq?$Q@q;QiGkDuY<a5@kDiT+MLTaN2kV!rJ){jWNZ`0HKo%^d@Vg?j^JQoH*
zvA*^L30ix5Hp(RI;uHnfYsL(kVx#>^hpsRaAT<p^ojDi;kd0?aH7zS-kEILf#sJuj
zhKIKkc-U3b*tPWaHEo`2H!)+I(++u3kt-7?p$i`#fBW$xj^v5Gk53gY=LMSm86v3-
z%kdV`urf2>4y3?z5y0!JhU$9cheyzDa}$ih#N6Tk%BY2rM5R1Yx5RAwLP$6~=JlFU
zR<;h__vgZ(u1+=%S6~!kVv-uwRqZ|zxAuzUFlZJrZ0CdfAohL6(Fa+V^U<>-U!H4y
z0={GeFl_W^y{2IxDJpckU(<Y65WikzfaGb!dRVxHjZ6;}lws%PfQO8|WTa5yc`wIy
zvUT!xI90*>mx|1P3;LF}wy&y7-@e6^Mg3vXrdVwkNP$HQW@34z4tXDkb8vT$FQvTr
zW&VAkE-octSBuChXakwLs<lG5k<GWNiBkyNbjzTU_MAM(L*>bPu1y(qkEnQSeYJD#
z^M{LdKGhzRbTj=+qw(Fey0JpqdG4X)+j>;xwn!5tp%+0&beQg^AN2G(5GN`Y=H>(`
zmCl;7OMB(-Y%;!6#UM6aiM*N#g3_=lgRcQs#Ysokm#ut&oSd95)btu4Qy|d%Ta=lX
zSxIC%l#R|+`L8+F+k+v+h?RdVEQv|gB>WNcN$Z=F)}%Sus$TD2`3oRp3=H5ZsHBUN
z1@Ocy#|<#4iBAFp17j{l@%xuUr#zA9=R}<A|0n(|OXdFihQRAN0-y$$hX78pJrw@j
zRl%{FSwz(|DYP}7Gb=SUqSOO4rr|TLA4Do#XS&l&&ueM5_xA2X?0B-%BfFF>>3QwY
z`}G)`Yt2#g2#R9?jRtfAkk0pk6kiBA;I}%}0m2M8F_bN0nwk{7dI67~OP8Y0iFLt|
za$PUwAqoHRmrJ7-A#iD>|Cvi`Z@R<ee;%@*`Z6I2`LE4r*8!3C{;~O4|0}B}2&lHC
zd29kAXFI|#_Q+@-LS5hf*nh{QHQw*)>||KEr$rG-%W1j6{oHiQHOasSuWSm23&DsJ
zhcfa%(-h)u-(6JxCdd^*qf`zx-W%)<?n)Oe<9*g}XV5fspXnAbzt)fX_~y-lfR?}u
zwO$VXW;#GMfuI&^QR_v@UbhqM<Ycki-Y#+KRH8dJE<rAEvy@Lv&63AQMVn2_($ezW
zowd&P_Lo-Q3vaP@|N7ks!y8rS_m}tTBFUM4V)G{9OgxAD3jl;L)i3@#;%p0uv&QCo
zz~Td!RZ0Y_F_+-fA&_T(uMy<aw7XE!xr%b{-|jsiONz7<;ZOek+F!1W01XLW`xk}w
zU#T|&3HR^lxPKn>xIL>-sog0ns8vrHxybWvsJyqk+n$O4Gwf5SVeJdEQISM|Ei37I
zD!xBH`EM>>^rb{QRc@hNBEC2Yz^uOHXr~uolXKDWk-U<<uulQ|y#1ksTs#eBa+Ajw
zk~&v)$IfISC?6K72%;w}2Uyp>LzKD}78c;ukR<^?G&MU5FfrroV=R}8iwnR32c~Sa
zw8I2IgyV73oMF)K{rsd}Uk=_Y#tL^G1hf?Gb2I2U&l9(i%I0RZ;KgFB>om|bbS5A;
z0UQD?tTcBB1kl>sSvMI$DKf|5e13eYg{k_y`}XbI>B0=OGJpUbZEXo`gyYIVQc`Id
z8BjOdECg<<em$rF^~gzAB6s0&i{RJASlb2WzL61WZthq0g^B6uciy+Rw||xeu{W10
z>48Gfwwi{9+3Swxwzj$#FJ`8vSAqbsZ|xstVxna|?F?%^)mx|iUXI?Q3s6q%XBp;c
zK!tE|l<E7C<L7QFNw0$cXexw)ifV0jwNi;!DFe)G;2U8pRYMZ-dTwrRu$n|R%M1(+
z6XWB1A;JIBGeq(yD_w^~X=!PxIFH~=O{4Bk?KI&q#o6}u_Rn9uFl#yN0nd;c1g)ac
z6|S3def7S6T@&YULLfaQh17hdO&G2!Su_Q+3#AOcB_=Y55a)@<pm^LNJRVPWn3;~1
z^>VC0{K*7W)ncp>H!!!fhYwecm+v28U`TlJ&IH742iQ`(J3FO82Gd{+k&~B~PJr68
zS{wQR6;cAx=*wqe;o<&)f!<uQh`L+s)RaBcYp~8fc4N-pKly5C=-v{<4L9<Y^NM?;
z!`HTc|Ni^UgK9=Ue*6Gw=V^m(9dPm4%Av2{yx9^pMw%C7pWeH7kNUdf%F~C#!={Zx
z&<_(}&b|o6JP1eSAihODc9U?+N43JaxVWrAwZqturIeP6@YTZFy73++(*ajizV`n8
z`%9NDN%KO-N-4zas3h_zuML7k!PX9?dWj7r_~m4z`-jmC%<9j%{x_)+@xVw+-pWZJ
zN2cb<-CPV5pyx-_jzkHSIy0hPJSR`~!TTuI{o@Ld0?8yUa%c97Ahm+xZIp)*pOuxB
z(xZZKM7h+K2D~_i;)l6l{+Cx)Y-$E*Pi^fSB6t^|<et7Gh>x1pTy{E(!-y-ctgLWw
zaHKo+&|SQEv8Sg8tPXCFy6#i2E2&Y#oVihA-o1MV`pz$2Ww=aElk-jwu$Eg())>@5
z1HkulFX?J&SsObayb{j%wf8DiT{1AkFk5!uV?0`*va=ZRa|5nY!YIOQx&;&724JsM
zQ*af8k52ZGkbO!CDnz=%z9UIFl+4qO9In<pT&Z~;-!mL(@Dqm-Vgh0W%o5UXwA1+d
zVfo$|rH1chhLY3D$jV;mzF5@RVG^ak^%UMZnSW9_7_6DqQJfU3F*vwD4cc8);V;$d
zRV6t-U}h7~D<g@TyS?#p4joDSZur$0Qybxrf$OKiRH^CdxdN*}YTn5IO(DGDRN~Ei
zDXJ6~Ep6>Df8On|);4Uo(1Qu*ZCJr4&_ei9z7K5B)vWr9d-5J(ClK|jq}0^bi$&cn
zkd3ygpietYcnOB5CLD5p3E%BRkDt5$@=x1MFT#3KcXn<7{iV>}Td!oaGXk%*N1M+~
z5SAwxg+xRaLEy8u=R4N680F**96^N;$Z|auc5T@x_(ybSCPTbpNa)KVBgsR2RT0F8
zPF@)SY|OwC3HcP)@|%}Y9b9ftpPq6Ge}rOBFE#!y3k?m8kEczAKhh%)9g;FLe@sm!
zLx&$_qgX-UJ(O@8>+khrxN+$!L$=y_dNb>?IHcvRh*`DUh($D18*w{TFWoMAs)_Eu
zGC(BtfMtwBfz|u+{rg*+EJj^Z)BA;mg>et1PSGL`U+-|pn<XV@WQ;v@Z%hN1ierTb
z!G{ncuxgHniF9K`J5xc0qULvq<&wWgYv1;;oh<>aya-EZnVu6wetw5*N=Bh%)JYLd
zUxKDy3ZtElFfRG|rQ6?+owQc+^LuW9F;c0H9>HDvZyhfgnpqGPAb7U6wyGdNF?18Z
z%|;=#-_ZCvISHwlO1otSvJzBJ+}zxdT4qlMus5Fy%SJ&ve|)JfmD*MY83RBBj16p%
z#auP=or%|fNOw&2KIoK^Cr=u9vZcdox|TO+wA|N1+JAxNNz|&b`>OWgTQ>x-Sd=I7
z0)$MMoXcQ~1avZ8?d9XsENb@X6B7QvIcG5SVi*jjrMcM$s9&hYRS<$fm!t0}s`4*8
z&5f6ZT+-6Du#e!4o?yCL$b_trFLrIejq`CLmi70WjFKUb_<fB%Yb`u;bGihDaZXz`
zZv5}+ec=;YZt-l=Nf{YH;eB7N6MfIta_FzurfZWQRKiJI!FEl>FA!gFgP>;+EH`ss
zP5+MsK=1s&2!P#sqXHcT1qE=B&XGmnQ&OSu8$yw96_Eo)hIZiin9ex>Pn1Icx@?lS
zbeB0W4}KGev+X+F&09+*IAnunx>-~?+cM<?eE~Fze9h7TR<94EpD8C)eK=U_V)12Q
zhKhE;@VC&SL+a-0<TM1R55fdk1>*n-E{!+XGLh5(ah_}%nre&HtgwL*vui!p0S{46
z_VvlEM6=~n?9Tl$)9hWhVM)9l#oF9toG-ocZAkMVpO_e_1wN`Fg6(wBwhu1&`{)@A
zp!RZFg}x$ha2RgaMI2^%S78U{ylXT$1@}7*tFrwJw~uY~K5qUVQE%6*yIy;JDf1#n
z;>-S!4>7I%{;frqfvB7ddnkG3^(v^o4<xUcfyeb<ewy$++b!@zQ9*93sR0tH4IF+X
zp*m;kcQ-%s6uub;6gV#>C?&<L&CgQ|7+8L#`AAV;M+XI|51s{W0>J|0F-#YL9(AJU
zc5O5j+g~C%$qpX80X1sT+Sv7p!3!t7%m*Uw9p+SEGY95w`{$Asm>|HcdoE3)#h?N<
zPM)OwtG?5@0?o$5&U1pVeR6Aw?!*W1<$cM8H4apJs3}JIB5cH*SUfp05)2Ob(}A#K
zmxI5U5zICIZBh4_Njgt9pi<ktWP+ZAK^}0wWYrKruqT7KK%WYQGJ$Gxa&oelF{P%a
zzA|24JH>nSn7Hjh61gJsTg*n>|E})Ojf@$;pOkdlGIkKC*fOgoOHCwVp-mSYGh&^G
zSx+Al<COIkNd@YIVm=!yQde7R^Be5RH-3DQo__(X*6hN<Xs$YyeLon<S{NY@(JK5R
zik<uZJ$4lg{`eNKaP{>viI|=QGq!0UB#T^?mb{w~6B<@Kg>9t;1jro{W_6gt2hWcC
z@hT{A1aah~<-|tNTy~bl-f|reT#~QKhtP~oCd@qUWCdXW91S=#obI46PxZ>JL7cTC
zHl(e(-Fv$7z|Pvz$C~m(r~3}9<ox`<*lPASuQ4d4Y<oUa5k5poaMeV;1Xqo{{r{V*
zMnyF<Gt+jY&k$-@+#pb)TRDj20_Q-VZ!>#B4-^>9n*htJo-W7Hi&Y3Bp6gjBawKGW
zwU95oF;Qe?^z-9D|2-k<S5ne?(9B&yx?fZPMjGAS^ZThss=1!I{9~gzsP^w|G@k$1
zXr9494j*G@e_VuRJ1ZgK1z|v}VLj>4kM)@E;|<5^ntP3jO9x(DbKS^eHcBbdxq5jc
zcANZ66?-CAb#IoU)jmfp^pB0uzwb8AKAB)uK7PBmqP*N4Xo9|DHo~Rg!#f(%av^f^
zQDytrg8=!UU@|gHX=sqI#M*}!>Su`>0!_zDd}CwqLSh~Fmde1*BrO|*Ex`KMM5mgg
zj~rrbjy=gv&K;+8gE)|9Qc2HV3z_U;&y8OWQSN*kd{h->K)BEKHJvJYZn&QvQ7ypF
zZzG%J8nnc`!q8=i(cDjC;w>AP>-X0{b@(hMHSR>QgUv1;(bUv5Bzo~`p*@jzx~3+9
z11+L7UoIOcxzGzcccY|4ry=;XCTt-%Taa+rb`Tch;2>r?WP4s<*Y(yAU7t2hl5H-4
zgs=R+rfjx=ZZ=K5I@unRp%}vP$4s-qc$bruqBxlk-_NXqNKv8;^Jv(lhANDnyrLp!
zS@MtREO6Jn<tHpm5jBKu_rh@>2#%{Eyg^^e+QA{;m#0a)L1y^sZ{NenoL~KmFA%H$
z-~2Y5%CyRB6!I)az@orj!ni+qo+bakvITVg$9;j;)m?lb?S0$?V1A!r)9)X$B28;O
zvPI`D*k7OCwKZiIw^f6f4!qHIU}FK}#AvBa3-0ahX;GYY8@_2uv6Q}3Eu-+mv}O7R
zoDzUM8WR(9s>*OB8~ZVEb1`~G#Uk2`{Y&A_pT%*IusCE0gsW%v8HoYj=h}CV2W`(6
zf~m0uVs8oMm$K)I{3eCx(rzPLZ|(9W;ekxAnD$y=Z1qP6VTAy%-{E@KUD>_4r1`|!
zzsLl|y%X8$|8nJ!ofk3br+lX<Y#-iNvhJ?d9TV}L=i)Ji8-9b4pKTK>we|XiA~HYE
z&PLh}8$C8VL;tCmjr8i3p)&UB8n+Rn{C6H{P@Sw!gT_m}Kk}r4a5UoC-)I^~8vt;j
zq5}E>xTGz_W&Q|Z%9LTs3XPlS^Y+6~I^QCT=bdTatX#HYdrny*tdKt_Wqh|BMq3Bt
zBf#LR_Ni>RRLeI%p52y*UM7c+2GW?A$uEy}V+{?my~~RDPIk)O7^6=`AqFYm{Z25<
z!tQSgWnE#=HGw7U!m?YKi*31F;Mjiw@sIBjz7Az$L<g>=Kg2;|yBGX+C4;pxTVC){
z9vXE8MHBM&t77-w6e}E8oodGpV$sfnd23JrJVhtx6i?*sdprk$?fVYX9MWK>j-*-p
za6qMFLU<vE^(<SGBBRIPYCS0vkMc;CVB_}QOKj_d-ReKLgPoddO48Ve<)-s2;%dpg
zpL22!$d~<>7AkjMPfSdB5&E`}w@;*ptQ=EP9qcUEYqS{8TLW8=c^rD$C{c62INRtk
zcc(ky(a<x}ES`T(8SNze!*%>Qe-w44SVw`ynnmxH^T%W>RhE@0dnl`tQ3(kN6jwaC
zuz)@t>nnOvsiLrw{nmhkn*ZdaXa0vG=yZue-WnVn=(sBoBkls8QK1XS{5fmEEWalz
z#X4Wr;xNX@9k3}0g&YFj;621R@!NnQ`=pTKb6CNNtIiLoRHx7U7?g;38^zT56HOi%
zDR3ZDk3Ay2FrbelQa;9t=d}Ro%PQ$M3<+$j&-?@`ak@BrFE4aM;AFDCoatm$tf!}^
zZBIz8K0R50zyGVJ!=lG`24D5r#SX>;l8U|S)|X8@*$AFyI9~BhY7I0F@YpupV^X~m
z7Z)cbLkWD9dQ;9(CxZcn#60>VCybD0M`Rk-aAqitQ1Au*r5ZDwgR_zHt|s|6ed{6z
zGj+pKi0E^z;3H|g|LrT7Wo?-(<7k?IvK)v$FrSr~)5coDM)jDx>i26ZvCq!{(IyPQ
z5g(wRg|qsf!J_w=02@o-#zMGl(j(n;Wy9ZUajoa8v=I7ZxIw^i*2F$$B6)Rq%PXH6
zuv_`J@$obt^lwz1D-p!M5&`{Oc<1^I9=2%IB?vR2nuq1jXsw*qkz-6we((T4?cTUW
z*2XI5_vBZ~k<KdEcGwT#bD4jIJ@hu4AtS~pEyu7+ElxxK@AD8GF8RKt@GkdUu$B{@
zjmw3U$v+P?F-+NXIhL4}n}7QK9=N2Q;OAyQ#~a!oEShw2R%EQyO}-NyO<w}F&AR~=
zna8)*sVQavoKT+W&NeN&!lRidV3v<YQKN)oeev@Z0UMWN|4iLvUMPYq2pZL32fJ!I
zazH!%eu=@X2fi?8*K`yKXQSo^`sTm3BEq?)`tVt@SbQ71`CYUpQ$A+kE4aho?%e}3
zAg_!;x|pFM5^)@ZyW!*UB}Cuaw8-B~9gd&G0t%P%cG=UoMd)&>F9HSft09>>oTKxA
zL}Fh5krSgRdN_9P6tROWk-==vTQeFny<WO!tO$%N6`FK4jH=J+iQzeG(_9qyr}-y6
z2P0Suk<<Aofz7vif59r~+QNVkTLZ*fqXle^A1iBoK^ft6)E6%(x1jdqP6T_!F6-g9
z*+rf_nqQBbRUrrq>+S`P<Znbu8Ih95ULTB?t!71};Sk0rnQPq6YO?q?4b}(D25~vs
zq!>>2(o?r`T3s;HEn%oNc@A2b8KA?K3s_f0RYou~qScN9(e~C=5d;tVJ5BN*N;6R;
zMYCWbxOertYnrklY(ZFA&UaBGh;GK`cCp>?rrB$KGYtBrPd;&6cRT+R!dA+^p2Wuc
z2vI{;H5IYBeys5l>iO&auX0+(d@zUK_7yqsX!61fXd}gU_KaD41={Kl5b>{bj=HtB
zv0sov5T(wg$Y7K8u~;FbKw-PL?}@DR3_Fov&VHZcn!=C!z{oEP8EUH*p_K>{owt9O
zy3V*+<N(pe5vBQg2E2fYGup-umL(K>3UT4wE&N4Vk$g7IlPDXHcK?2EM~GY+JdN)X
z^Mcm1xRp&`6DdJd-SupHGzIDjgwR;tX(`fd>Jk(OZBx8fAtPES>0FGLmE;Gz+0*lg
z3q&W=J!2vUV-zbRW47(-U?Zft&%zMqPfmmu{r#q&Ij}iy1_-NWC$QO%P*6b$a+A!}
zVvYTd$gz3rR^pp7b8=N9^@MhLKKt<@E@=<+x^&mirb-!{cgUO6l14jc5K=fIYr=8Q
zdYt%XYsP(UksC)d6`-=bjjm6)K1PkwAJ9a<NM4_`vH<;zj#-yFU&=URPeb*<;L-S^
zCc}{Y^v;VyDCL*+lJZ9ErFpQMgx+J5^}X}1;s(Nh{P=MJfv0b;L=(Jr?X4v`o|j)h
zK;ouLd3{NU=fr8bf78?g>=$*Go!P{z+EOwyt4HiGC<&Z;QM=sgSVIjK>H{YP8~e?W
z0;w|@+(LqJ_l!r1q)O5!=`m*)4l4>hMnSI^J>RnhCM%w6wA9qok*#L9Yd?Qn3R~E2
zQWP-Jgrgl0rVls#`!*DEQ6(sR6H|HCte$(=fULu95PY>%9hv;&`0GTYV`F3S_!lAj
z!SgtRMS1tddf}r}e55TaUf5$8rxfASCs{K0S~V|V-q{`1)zfQr1*N;YH@5#%-F4d9
z9mV716&MAxdUuCddq>B~234=TJx1XY%Ep9v)5N~C2R%?UbPhE~5pxq-#2-T(Q;g+u
zCm{r}$OvN)?xhmTh8Mp+_=DGCXPx;im<gdk+!H?nM^Ekw=#M}5%$qE{XF96M55y+8
zB{=WHc`$|v3kL)o8(o2=ImPokySv{8il2fqtVMt6lIY*ZV8~G+j{ZKExgwqEQXH9Z
z{pP4E&$Hyl+k6^N;AliW{r-K-R4DizCb=8DyW5~Do}uGkZtRA#9}W`0>BW%!-I~@K
z<RSuYI3_m%h|L2&&;^1Z(+VCe@Wt8@rzH;;NLlJZ7nRPm@UqHKXC!)IoeCsKxduvq
z@roH?;V{J(?ba;kjYBPWI^6J;lj5qf08BPuMRX{JM?88Y3(`yuZP}!sbW1G$&kA&i
zklT1_#3v`mRy+q{MDek_SBmlL>ps3%zfQ380jcXoX<W1bhhCIMt(3R#M-Am$anOCe
zD$f<*5HI7moDD>ryn_sK3k>MOda73gxq{iGJU&Au>cW<nCVRas^<kdmlF(F8JFPS0
zT~uesFNomoh*Zmfr_D}JBg>88myP$M9N~OsONJ1uZGff9(VZ`1wGq&H0G6AZIMY_n
zK@W+p;RfyyK=fjo+N{Dhlhut^_3kh{Pyzv`dla9Bkit<C1{RiD+ZH_dxP1+eSa&EM
z*#f_BzceU_*WlcMZw{Ozd1(x^up4EJK}vQ}kuzBL0VQma7-e!50C}|oXHZ0zKY>VJ
z<2Bt0M5ZstO|q5cWrOspu=~KJ+k3dhO`p2{!$MzQf4ndcbuQU|HVCJ>MvgKb;<56>
zuN(!olgSTXUD@r20*wXgDuH|MGhyrm=5$_&@V}`)gaE7tfN{GjWtxGNb>aK>E1MSy
zEOS5D6Km`0-kUhCCj+6`R%e9d+gDarItxEN38tBlkdVK3sRwp~6K<M<6pTJqDO>Uw
zW@aq_lwsAC1_?h%4<5Y3E}NPOlGPQ593_3NZD#l^-_31$VL`_{MN@7X1muBu_*`q`
z<pf2lG;pxv<KwShy;_IPcQVA$oG{m?W<GiIZws{q!6TEBipmarBZMccuCB_-$$<#;
z66jT}+K-(hBWcwVw_&XQzW%v`nkP@fy-|b1or8lZr`TP8;y{l1P<E*cZXon&YHEt>
z5QG7Te_Dhz{}JjEATK3J5p`!_s%bDvIj4j6@%P^WkPgDCB`C%7c~6{(1*)6A3#>k&
z`ihwR{CuTPzX<I{h5H(gQm!P|)yX!$?FD0)$e0Pn*GEuv;>{agdHIa2gP;{?ZW|NV
zxq5j?OcsL?E|?64oSkde)5oXOpaS!5oI^ffYG!72tPqV#X)yui05kQ$>&6Ya)yDdI
zxyB`sO%z}<=$walsAs~$4z?P@6;kt&<)9L<gjsNXh1oTgUrvT2`R8dO!U_|9iW7z*
zmPmiZ@_4%+%(vu2iqUg!{BqZTOKW_J!`K{m&Jnp-nGXwvF!pXECLb~>z#+qwi4_$5
zT&E2vvG-s`M#ke6*;in+BPS!k-hOy&u~J3KV5~!AVSPgbVNv0@{wf-9=FJh~WNu-x
zxU>X50TA(;f5xFa7}4rVeBI*mQ9e>+CFeWb|GXlluC9*%Bl_e?9~@vtZ$J4J42wji
z&4lrHsiWWJmp6&wv>TyQ?fd67om{+6YGvAvYa;ZkA&{I7S68N=OCYQdahR>GX=-^8
zVU4`p9L9f}z-hI@Lc$qiBEyuYPoLJdnghV*tu%jPP5kFuB)0V_IacFx+t!{_*YO{{
zy}ZH-e=))YJ3qrnD7VZ~0HLj5I}Jyuw~qll^k|NXIwT3gk=8tXI@~!l^poCo^XJc@
z-rt|b#t3@MB5Z=zW|Qr;%Cqj{JBD5_!C^d*eHR8Fv|N8aSX?EinlNf>f?s;Up*e+i
zc6P!Uo}l&oB#=3B^VYhLMLB{&L1T!Kj*hFC^4dFNXwZQy7b_qj;CYWdx1y%ztSGq%
z77O74xaxW`eMrld{_uMhop<2Kwz%D4H7I8v78MD8t!x7QB!^5qfU3mJR0R|n5<`7!
zYisWVu=m@dWI!sSOB8}r&wVplB<G8;MwTGsl9Q5xL+=F;;$Ba!F?Bi!0!0pFr)!5v
zz2P|DTwzwQtuY+vki)90t3v_-%dx(~Rz4hGKKdRGU#iD2rl3i%b%gT0JUo<+Gcz#Q
zI#0<!ttXxd8|a|&p-Qe&h{n1fVKQt);b;P^5wIXL)<po76tcI&8M0%D{W?D{#5V{c
zaCzf4zG;;g^eHQ-2qD#dVV}CmBx>=}3kXy=YPJGr7o+B7R+y6Ta7;|fBReZ=0uJHR
z-^-E1k92>{fKe$u;CC5N7*NMRn~VWbeHarH9j%-O{+sEksVDuQ*q?g~t{))eh4ohs
z-zuV98342Murmz%aZ-OyTYh$Z?rI%v?Tf&rf}6Vuj>>}!W-XlDW+llETH!nhtD55i
z6G;gP%iyAZmO^|MPHt*vQfzN+Rm>Bb2Sr<wL1t@LNX_U9_02=NSV@o1N+&3IVN`?;
z5G>WUEtIvjK&eiAIGL7~mJ90Z6u5!@{_M!hwzgR?NGF)U4-^cWq`+XSC97$jfs=-k
zgkK*K0(WQLPO3k=+W;~>Gjm*L5?Q^K2fqQ5&vq-w$3(Ze&lNnGhw{K=kVtuWiQq3V
zCEg)R0Bw=-^K-&aihR47H%J&LBGo2hIgigoUaD$FAUSOB{+uYdv_nmJiof7sH>F@l
z8U|jc+pz=|?&Y*{JYhwPdmk@yU^MvigDhM95;Zd5cKy%4@1hcQW@Vp<-E92oyU~nd
R_>mtXZFN1hG8OCF{{uRn0J8u9

literal 16265
zcmd73cTkgExG$PSqZoP#pwdyg0s;z1@1RHvRXS1>klq9&(yNF9q6ku@3kWEp6r~rX
zccg<-l-{JBC*QaCKKtJL$DKKIX3lZOQ9|<Oeb;)*uRJS4^OiCx<{SorK#;1cC}<-P
zNIm$wL4<-=HW@M^;2&;xMFV#$CubiAYa4fjvh{syR||LRJ1mwyEOzeh&f@(1&JGs$
z-8~!~E?YS{QVNJMz!l8y;tbsX^K}FgF5~^m<jD_>uL3lU6UoZ~m9gemP`$asLCC!>
z`b3J;yJ?|)Z<Aw8qJCcrJ|0h8!!oak)o#D?-KWiy)xR-xZ$n3|+QbLFm;Yw@HWyP|
z_-8YJIR@#v=mNQ1jJEgn5_8es$TO``;S9g=HR9Rl+}WZP(?~+}n2tThEYo5Y(%hQq
ze>MjA$R)>WY@2R5vh^7J+<Wy<>;4V&sWT$WA3h&&hdhc8Gonp;JNR_pl)3Fx!$^<n
z$Ln+6MvPuu<V9>fJ8?&@l&nIk*vs#@9V$zaiylw!KXw0O^n&@++rSHtOrLuCE_l#|
zW{REsq;8~9#%=JMWJZ%HO3CjdMGptRyL>%Xt4|_Cpkm(e{Q8<!aOnt9rtUZF)92O$
zGOLAxX7*$CAFi!s%Cvl3t1y2NN6DY}?APlnjE@t(T1rK%w8rPRb+?^%Q4Ae9os_cU
zx_)}W>h195=S!*xgk*`Tf-KH^<adg%0k;1rtU5b!$KJc1N<mSfRZ~k%{f3ZJI(Z0F
zWOPqv0xcc3*uXTBMzNuRI53i-k%d1l>D6j*s1{|Q-L6brhF#L_-wY%L6PyEgAG&R)
zN;*7gA1{+$VU{SfEjAP?v#D7r6!9(9tCl8W)w?N4i)6(iSc5Sv!J5cm3LZR#9GaqF
z_F!)#`I^)A`ubvTjz%n#<SJeJ(qM6CYpcbSCQ_l@xb~s{-uj%R@Ak4qaAOpmS@nYi
zv?7|qQR?6{In!7s+bJ@Jq=baV=?ql3NK>tO9UiIDDVK=~_e>JLs~y{h-}G7;xBjSw
zR3L6>Y~0F~=<e?36X(I(Ju0<o){{lDD?h%|t%You-dk&C_Qhcx+EH1kaBFI2W;1KF
z`E6PjtPEfB*3zK9A#x}Yt%8R8hPx+4!oA-JE<SMvYyNvxS(XQHAhLW;0Zm~a#u%K3
zu<U;&9q@3n?h!{*?Xzdp$Lir279(~}&gO;y+N1S$enVp%qMOCCg(6|stkRh^j3gZu
zzI`6eAR3KfnbmM`a4;akA<|JqSeaY|e9=E&iDCJ_<fT#;^z7Um7K`P6xHalj>%Tp0
z`#RugFW_i{IpGeidiM9FzgtVg!^1d4o)vnm+V>g@%Va|YwdJ?|0{z3oLyc4kZmGoh
z_(}HrdelPhuC5P$R}7L2ntgQ5wjX?(a^0(m$pUHB$`@B*Kghwsk^j1e?e=?zJpJPF
zmD=N5=qKWD(W2twN57o{sO`6ZkB05LZZ8i{&!kHFj(l*6J-sW*!@|Rp@3S$lEoG!#
zS7K3*I&lJa<O`<GB<g3G!N%XE;+Yx-0dxHBuiw8V9Y=(Fg@kEOIAdz^1q?;BiPNpy
z777?nVP!fLk<1TwS^qS;{rqlm_KTCf{U}@vLUsC&-|CmsR+g3}N6pLue(?CC@j}*Z
z@i(4dj$q)pnN(ue&Bo7PZ1e5q+|Qpk1o0eelV5`L3k@F4CGhIMzt^AdGSfsxM#jp@
z`XD_cX`?G${@VR9E-IFdsrs-eYuv{lKYna|ms_E)IX>FYNqvxixAzUX<ff*aT%d~E
z+O(pEMkg7gxbWSclVMs$M)?o5+n@9AY;4po?5s>2_i9M%ww{cbc)0H<kLF@(B9}f8
zc(D0vf2Foo<F%Ad&aG@zxFHup{qPj&IRyoUU+&_3;W@pK2{lK53EP%=HelzE2^}5X
zSVg$Z*f#@uQRlSW{+Tz*FX>FZr&g!xkB@e06-ii_6~0qzNVxp`&X~o`$G5q<TJqt8
zwEth>3>7AxCRe5Y6SNfk?28G{o<9$ZCF;{R^Y33B=4Gt^J^G>4KG;x6>C`>p>67hk
zZE5e{JC0`jcnDh<EA{u+eK8)+{#>n0L8~SPQD^h6G}&nt8li4t-@9k`=$TGsF#0OI
zoSmJWX^y>q{kjgafsY2k<TFbt5&!h*(~%1Mu(0!~CSSgMDbOqWdMV1Oc6XY1tWYyZ
z<+IO*jo$&}U8B0R=dyv1aLsxfFC>1$At|NGlI^#bAtIqz8!NHqrlt&zz}<<DZk$wJ
z%R?@`Z`6sLB&4%#-$`6spud$O9>SnkY?_jo$T4nz$Hpcy;ppgSy{J!Pv9y_Ke{0aJ
zG+M6iR`#o{D}rwjjrDl4k`l+!t5;8k4|5~DJomSM(_J<e^;y5;=XbEyyhhSsR`{j4
zvQl)c(9C};K_y!BOY`CW&iVHb*C??M{XY5cd+t4s=B_jNPV|t=yfanu8Hc*jdxsYv
zKI}j?#nC4?uPuwv2D8;ONj}&-jN0AxE~WA~xu?gGinFuJ)x=wJG|{Aa(|<+h-iGqF
zOtT90ZN^jK5}lWX)G0JN{bN*{^SygKQmLXYsENquDD&pWjJsS9MTK#76URqhI4+8-
zul=_TLok}HXFDx+iT3>Ve}8b6jiSBOwU{dA_U7*m(Y4(lRUQQr$SVzPicz$!`Y*k;
zpQ31lw2INc7?t$&X!SB&SfxV4!eFP2X`Gh^E}i_miK9`n8-923T-|Q?8zht6pFe-Z
z#KdyD$j)9lN$R_Hr9%_B>kVPm*FjmHVOo@dNO(0^Xvof#Wl-b!+bHN1=_;kVod-Ic
z_ES($eRrmE9QpdeR2Xv!m2Yz^+hnovN7vQKFJ=$-8XKNHrAbSQ5QHo^H846dVi{}4
znD(f*&`^j6pA?0{Cnw*AFlpE?Ie+aw%dA4C3_h8@!f?&zZNTx7_m!xv!@pa;hg*Z$
zcY2hAPygBS{5_H)9l*q_B~qss+KO|Pa+@a^*xlQUh<*F^E#q}hVFxrllf10#7s!!P
zNBHn)`Q43fW#&VzaVK)I@M`xzV`l{&rd5l~YL6bBW};}1e9=PP{v1ore)TG?+!wX$
z*FWL$2)MO4)Xk~I{sQU4O&xUx)ry~my$dA!iy2q7w6$GhKk0QeY}U(QRsU|4dZwXN
zD!B0mY=pJ|Z6X&w4V?nID<%y^^j|MQv-)4_90p95x0tLjUHgg9hV7wPT;Sy7<zcyW
z>C%-ePZgonUDCnff=iy;EXUJOV6h={U%$%HQetI<A7^H=XP9){Wv6)(A0Hg@*5uPW
z=UhaFe@}0(W7{M2D&5*do(?Bp8f)EGXnVQ>kdYD_*S-Ekw=_>&HmQncl6=_+P0t<*
zWV&r<>eYa$$w>-k=1xm^cZH^&-u(15+dX8OS?xp1zncHNk&R96GhM?(Nr?b0w9G={
zlv}p8wx`h&n_cn-Hjgxs4T}cv?wp~apr>!iNCTLlZD2rzp8ff=j4KymnVprDRYH-A
z;LT1;W8vViu@+mQSUNH2Km5)*`KqHh>@(Kf<idpulOs?bY^<#p!adxkzJ@e3G(gNd
zj#X+E)JAI~k2}95Ups+9K_T*9qLy5hsH=AQyLp#Krd=c;AmBKPj(^>gvuUW>cW0pJ
zwul~M8tQ2OK>5I|#_xrfnAT6o=<`<{(op567QOwBsHw$VXI13nP}sD*odAd9XKJPQ
ze~5o0Ns~h#lzOjOj`w1(*bnfP2OE+F0#>rOp%<~&mx17ewH9`>hg`~%6;n^X`g^$S
zCv<2N6R~S|duC&<jZ?I1NUQ}XCnqP|Mqs+`PS<i4njp2bv|yS0JN(7$y3*hZkg&eK
zz8@S%-<wuHh=_>je~YiHtAmDW_z~qis-Uc_gQV?jOW>_=H<Lp`q*J#;-wr|1UNXAi
z@0-bBHOlkwVo^MAnzoo-!tD?DLxKVB;qZGrlPz)VnsxTY)uD6K)6-{#Y|5dt=@#gf
z*>)=F=w<n=HPT5+N?KW2m11iE2E2{$2f(oAxHM37-E+Cp{7c~epHCXv_@Vr-3~!A;
zvbow#)JVF@1bU78C<`h2Z_KOn$Pn8tyy??HjG#1S?%m5bQ1W|gSa!-|7n)sgXlSHx
zeHgjZ_-C=tt8Ki+H(v^$S%_tpzT9~A>(ShEv+<8^IRyp0HBV{qMJ1USH}9jppRgt2
zCMzQq?LU5)qy}A0gEVu)$>iKh8Go>JNm*Grcx-oVrgZ(&N{#$b)FR^7=m&n3HfB;O
z<{YD_Got<H_mp}LKn0Diva-nOfW^K%HbYfa)tRQ47;YKCu#KOcRyow1x8hCH+uaD)
z=1F@)gYWv?UoiNqJ5#^d)c^O0NTGz^t^iwaQ_~wKv2QO$md2|;SqK~-Y;>x;cb<~t
z<K*PDIxEIiL)NE*w<HTAWBj`AyHcH#bOI}b)<lYoQ#=v%US-LkjNL4$9fDf@0Kv(@
zVYwGXE|vQZrLC=9^7-N611K74s6_*0?z6#Svw)5y!O(>mw6m5L<>GH4+wU}HbMx~V
z@6EW;<{$m{x0#rjrVDa&xoU{vmhn|uh@`8IM)jej6Mh@t0AD~Uy!qhsd1CX`A*<Mm
zd;RwsBe7FcQ}5ru=P5oBGbiBx*WJ(E#pSG+>zxnxf0RU@`1iq2ot5w|DJv_RdLYqX
zU0uC)L78FPYr;QVwe(>_IOUK6Q=P1=?DPy2e29f`kxNG9LzOO8(4Q}&TRv#FPOZ<i
zLl}8_c!c1k_GX{KhT9eLUxh_5pdWl|(%#WQvqGefWc8o#cmWyeJFx|@!#oV4OdE+q
zV9hU`Jar1%JJ#ij+k6L<`gD;sKvG)&{?6e?ReybbeQWCi)bkX8CVLw{MLYxHb25eJ
z2nCn$KLSW6)Lp_?UH~FvrmB*#y0(^%G9YFtgsu3uNE3iO;oXE<{r~vf(QNh3xX}CO
z8q$Y-gM(fNyK4Y6^;DGzL2;GF8L|xEWHmsTo^yf%?}a6f0MSjrGqjC!t;>qczLM~H
z_wev<YHDibGd6bin2QC}xOw7foE#3HXpfAQ+%{MluWodOOoyFX>Mz*o*Efq0nQ70v
zj1JF}syW=gy>-VU(65H2PxIj5fTp&}Yx7F+v%>t(tk^VJbjNFHW{vs4K-3R2t4Wlg
z?^vhw@mRhtud#>EgRMQch7V1azO7F$wj4lF;KAgk?D_QBo_#4`A@^F!|7L3z=F`>0
zkK7*@vb8$e;?Kn2l#u1A<Dp?WHTt8>mOSzKWs?!WpRi-$TEf!%%R+u0P&ZBXR<8r@
z{@s&(1JY%GXNCXu2aS%mLCGg3BGcDrOBrcsf}7B(2hhUrK^eH>?(8gss=m{-u1sot
z?u8Rzt=tm7&2HuC8Nf0-hGjObosIDgl$4a2%CYyMvO}iO@)@Lg(SD7vW0(>s*>mfZ
z%qbYi3nmfL=QgOm+6M)h*?SVXOv9nup?27pMSQ1{6>Hv)sr1`(%~XnMC_Hb~{5VC*
zzbZ3xrtZ;+H9=9)p{6FKs+cDZBjtAiQ#5>wiIi7Ui`*2b1su=pw<<eks{EKCu6g@3
zvmZW*oS3-Y72p?>lx32m;HyMqWYc;x2e4e4yQx0&XC0($zccV1Z}w_b4$iTACMOLw
zH~)l9`%&%tAuQ}P6@cJhx~fl~JxfVRx$dz@sHA`$m-0P$SnE4<F?wWV2+B`hE2a+g
zbaXjM32k|;{7<Grarla3w$)#mu~O?T>;`o+#8Z*U?^K_0c#Fp{h-ph)Twh<G-I(<|
zKHRC)p>$fmzP!;XJ?Klf+RFKQQj0xMbDV<f^5uaj@q~kG4nr(|<_q+Tr_Y9~MFPbg
z;Jk2w<r}0dr*xd!#qTXGGM2%QED98gQ;n;2&a?{Y^Baf}O<L54sycFQT@9JaTQFg{
zdNLP(jP&BUZ$HMCF~ZEm^ca0o;LrKKOCAC0gCA|aox4jtCbPZ0-Sl$Pp!cKOPe@G3
zqurSvzf>LorP9~0-|l0VI#`uwAg86cu(!7-WYZzw7i+F&xh#3*O3&cnPF_yx)6N5n
zD%2kr9#)_EMKrJN+H|8zgtq_A53f?Q#u?$cKFBZ`3mXd@pG&j1k57f;=yp@g`4WUw
zq|u+@GTTNSTz)69v9Ym(qoXbj-i9;(rMG7apkFz3?$6k&!`aqnT8;jH7jo7v(ABTA
zZD4uz=*Ke`BW|dvX)1;#cdecwB`s1yCrKqdk#O6h9%L66KX(Z&c;l%B;PjDdF1!%2
zy&f{-C?ffk1-t3F%%Z4RPft%a<X3v;9F5nP1N>QHI*M}<g<?MI7mOx>HMW?UAQ$&K
zUy2lXEDe}^@>G;$W@cn$?2cFb>r}JXw0c!nBl^8?;x(snKHZr)A+mNX%QxBFf<Jk|
zvo8u>SF#R8<>c5x5m1b4E4#ARN2AfDaQ{b@BH9i)mNGqjImc<Drt)rJP*7vDR;JPv
z`(mdys_#-Gd2n7{-n8ShT}oL+WYzkDWcLN8D|f<)e628=odB2*r*qWChId7Mw;lM{
z-(#J0wi=EPeoC*cWj{BSyW;XVm!F=g<DGT;s;-}(pO#kK+o~L@o_6E8hPm3=^asbW
z0S7aHQyMM2esv+=b+xxO=;%nCqW<C-^pXf`zD7esvpiC9V`XugjQV%Ln#-3!^e#O$
zHT%Vu_V)9V56W}-gzX0$`tx;r^w)<yNCuaON>AL5xMm8iH-T3s_2$K6Uj4Ue+LGpV
zh&7jq8h;gPdiq@NWWA)_k3UoGab&lA#wuNQA-XCaoQ8zDv`9AH+`gEiro!)*K>eII
z4O(#v#a))Ap&^6D!kc0ujil-do3!bua+w6%k5%pqRDYNjJa82{y?ey#8yk(i<mn+l
z&Mv7uOHMA>IW_Li^NMgKom&hGiv3C#d8svuFr40pe?7Ql&hJQLSC!@D<g~S^d_U{^
z(piyeTr3Buw;O`#B10mPbo{1w#`M_FrK<e`@Z{}aH$R_)I+~sTmJG~ux`>LE=as07
zC2Xfr)m|R{IDnssxa6`74q)cBd)KV3t#NppC6pcIYBfUe0xvJ|PSZkfPKDQ~4ie*Z
z`e*0sTKmDv^+%|NkxIZ4mX^~QicxHAY-%@di1^g&AeBbZ&@e1}lDxvV9xc^aHe!VL
zg@l9xjt{*^Cl+xC!N`~xQexQ+0>k+4jN|`BLjI4+SKTxJrA0}i3k}Pf%$nlZl}lV<
zuL0S5_y*5AlT>sjUb+pGYX^F&4l*l|#@yC+r%RsP=df|S+PBnosKnyYqepLkCYpYi
zWO{1Kksx_$BkSEod61$s>u&H@yT^WnKh?X_QS(nCB5*gNUp$SNR?Tw&t*}h9F8B=f
zIH)mqeY!Igb6Frz`J|<ffg}=|GPJf&?hCF*2R;{wh=}ZZvQ&XxGcYhfC}uy$t^+0#
zpc1`)of$Ay;b-r)3`kvQTqR7m6A}~8*|156G6x*2f%@jC^F5wh2e{J(#!)~*hX)5t
zAW<D1?gv0+3boDmI+%c6)6tOZFTbnP=TAjNrSKB8EsM=x-8&Nj0nn!X{QX@>*oZ)S
zB4|-Pg+Q)$SEnou1*vt^-h8drND)uKuv8S`0sUmfKLY_oPh3o_dV9pa#}%-NnfDZW
zY#Q*K+}QV5Vr6M*h&9idCejNs#vq(JL2?ml8FY@(Zdm4-nHe`%SBhH%{pIDmckhrV
zPL(^3(iR;8fO`ln8{}G%4h8X3eoNESfvYMvZz>F#TY!{Wd$^sf(wnQr&T#zb#A(0_
z!tTE`>xB}Sk3m(kz%<-eQfgW%uDy&wu7w`N@rjA;0XWx8pb1V9_aNvdEri++dPP0T
z(=q7`*}Jb#wZ=59S3sq_h%R>+ey1;H_mG#z9EyiF>3hH)pnvry<kz!r(_S_X|H+yN
zYY_5jY+}N!`a2(EJ)N1~qs?5_s4c*0P0jqZ2ijR*f_4VY0vgxzbqiKmba8n11Ixh@
zsyiQ?CZzamZEV<BN(pjMeST#IXe5H!cX&Q|@!<Om<z+OGJ?|=GwTc=Y#UCE*LQ~bt
z#fOIzDUk6jg0w?{36F}ZpZDfS&PBu>6%^M{Em0oqRt6kDthOR1B^7yt;Erj*DEI8}
zYsyo0?}7{kZ*07Illw*6pA-zsd@e$Zt}Z6(%~l|qIP3h6(a}+7eh_wEY=#q`IYWs7
zLF$5DhX4Isgbzp0LycFWk2VDb1uYLBGhSb%e1QYvBKFy1NzW&+u#m4%K}XJygq-|2
zFAEo!N+HBe)o0qY=Mmf&b%v`!<N=XsCE)nHm$QY%6sWgQ8VNMD^vEe-|27C%AQIbF
z`*pcDlg3<?_&W6CM>XI9LZ{;8m5-u3jnA!dooo9NbUI*fj;{V@)?s2|;&f}oH;5KZ
zH$uCqu9nmT#eQ1kWNN>1ER!Nx%kMDehjkBb-@ZK?`*-hq%5};*Z3-!X2=ZZMitj#*
zKOp7}`R{A}0tMAz2L#~rmnSM+W<WQ33xN*0TB_fAE6Au(TizTHe$~+Ww3GEP9|<im
z72x6=09!zVkDwe_`J0-i78KZ5yLJVK5|IeSt<ZG`-YZj?s0}!Fsy!T79U3S$i#;Ii
z#HF5szD2?;#jrQY2au2;23c4;IPh&gO5h>|O@Nzd%@HKGI9JHR76mRDL2Bw7kZPw-
zp43EU>0vd|t2cWW+(SLgB~HLC*(cRhR?=UtL**mZN!RN5xVZ%dsqv?_fiU1M<;2!=
z@$ft?28{H0w@9m4<OmXBkugh+gCjAzZM=XE;w&6huD(_Cq~JEeQNX>7j*ia0@%-M5
zG2ur8k^ik4QusyCeRDDp)lO%yGUZAj9l5%`%Ru$?^Z++8Q~>MailU+-k?&n5VpXJz
zi;KZ!KE6AY;Lyx$F7%%6PK}Shz|A5ef+YrgV@)uD_Oo(wM&nNqPx4RKLS`B~;h^Dw
ztB7hy?cD)3UgfbA+Cmqg98Le_AC2hAlP6u7%H+wlz$mH9rm4W3LHER`2G;oRN9NTK
z6rvDFFVHv|q>n;FLP~*-S(^NEuYzEr$NU0@J;jg&qS=Tolx$6WZLM@vAckc?#lnJ>
z=E>{VodgLf0a)Z$Irxv^1^}12*;yzXRzP(@d|pYC1h`=g+!xx)W#h`ac4hRFe7NnD
zqT3%b8kx?Y2P?}kMRDzi*95d7d(e`=$ePX0LaAhn`TyMnKdg3d{(MTvv-o(>sG6A>
za}nBSGBPq&X9w?wK$K>R*9FLfN2MAZ5<;NcIhWMb)Xb3sXm}rTZEY=#oO$3bWgmLz
z^dk(*J>x2OZed|ujtSf`0W6!^@!+|r&z|+!TGUN>a|VN%4tawLM?sY$BPZ97ea$K#
zD$JDwd;*x#_<P6O-x?P|>7SaP*ZV#E=f|h#hm?7U41{Io*Vl;Cr04o7?Ddl@A-qBT
z3L^#ztt*cqA|ZKo&B;`KlMesU`y;%&69kgm76&r_ibc@k@&Qp97#L);tpe88-Ob0e
z;_6<kyXqhnUW?cd;M9<DadDb5H*ZGoiduXPej#KVITsih2-&wXR4VW1_dkUqM^NbI
zzo+n88%*hAIX=10VQL(q#1o`;J_G#8mCqZG{~Au-^ntr@)xgL+A!m}P1Tq*dv!)9;
zusP;DXX3{Cx_KBBtH@YThm;G_L69o`yxx|j`fRm-ZKhd$5A&%&U>JzdM2UsGlhX>s
z<i}5+W(uy2dj|pRQBmhk104{$8#E*kwyklv_|1eW)H#uR?vr&$zSq~i$jmO8RQ1Id
z&tf!hdP1*fXa#bq_zr|S=(S0NYmoA!f!YT2rEcRmPMJxz<wY)nJBd&({Vs|xzBo!K
zz4M>a4kx1$)GLC1(B~~bdAKv7ynM;@bLD;Plc!Gu=b+u{fWVNai-x9a^{Xo#c+Nxw
zHD`nVty{P3BBQKN2K?qiv_r$(SzV<tOSkyyMR+?Y8ed%VmtZu3J_(P~q|D6x8bD@q
zL&M3FCnvRxuVWCPX*4U-(LD$F<he9J+74`k1H_Ie=d|j;-U1q$9SgxvB(_Fv0@53l
zYAH6dnd#}05`eRD4g?WL^B)l>;jh}o;kowbAUXbCToiX4DTgf1k_|ewJ`dFb{bUg*
z6EZtLKVWfu3~Ta*420n<(8jc{VRHS!$%Ax1M@97?GR^SF$PrNFf0P(SBxsFWtE<jn
zC<2PG?MQMtI@rTpBM9LcjA$J4U&ZCWo2mz`#QdL2dc^;Yz2J)fuhj~|4FTH{YUKZ~
zghPZ)Q`ajpvc8D%2BU-!av7b_lFHt_6J|aJ=Vz$=E;au(tjs1iH}~*opR#$ZGguX4
zW5%ZUAtMoJnUf=Wb)a|nq{AmWfP3;X1W#m$fglBS#2a3;jE^~gEu*4P7tLo-l2%?G
zum1wWqQnijo{VhZ&H+K4zH?`l3Lq>hGBPre&oHC(IqL4+yQ3eRel~*dmq%+*Y8hf<
zbP{?eDKW7;I!r$i!;)Y}35vy;1lt?2$E4@4g3!GhsEy3xfjy8r34#f@GXU(gBg#R-
z9<VV7!FqT|ADZ@O&;p^~fCd%H-r3pt(<2MjA_*o16(eIcXjK&KC(&pzQPD!<k5{tv
z>K?y(^=iKJb@9_vr=#oVD>6|kj>2a_CxtqyoqWCVPl=AiZ^I*kV+{He&`<k-+FW99
zU*C<3%vhO4s=g1Lw_X`=9y*rjkdu>_Z~I^g5pl=X_ETkL-_-uq@@?S2&p>*=1h0>#
zG5(pKPki;t_(ND+V&W-c8ald-NJ3ME;&|rF8No32GsMI*1z_6u@z_1`_3?SpSs)6w
zDpZEGDtO;j6%7q94-b(7vmYMfDW5+1-nnz3m<%g(kG8yu^4MmV-wW{m_wV1q<NmA!
z_sp%ip`0-4a6EUJo4fVfH&PLlDK}i3NOmr1gYwkr)BAt_uB&Mwv;IazMag69I+TCN
zO3uBoO$BXWZYu+&BJ!bJtNDHS>xpg(XBQV$b@e%2SfDLUZSBC_4{2#_EiHKTkQs~+
z^y^fB9P+;M?XIXftb?f(4}OdnY!Zl((gyahj~!XZY%s2n5F8u~(8cgqr-L6iq?9k)
zwQC>lA5)f8nPO;YY1i+;{<@CU`1?XuLS1>cNewsV=H>NM8k%qxReVCi-tI1+;X8%%
zIn*>X!d`!jP4&Q;Qd3b0Pi&g~8WDX~h(lcbB_VpSL2b2whJey1-ooSrJ)0)1DozGk
zrQF49*YtgJnvUdPh42uAnO_+|i|VJ24iBH)g%<@Qi;GtXHiG}-@$qp#5ui(Gzz1Lf
zh)DC*-pY}`5mtOE53w$tm7N_!FZfl>X0olb)63a;lJFe|&!?v?;jun{mRJ&-1H318
z{kmHZ;TK|@olsvz4lrHxHxl{QwzlT{?tt(`&A{L=Z}q63!qP8Y`~_(oAY(Z{zt3|=
z?32|&)Yrn!#1TRYfJUaIL-#R}_X-%i85F|9*hpxi;re(#-XrC`BqFP(Xu%B&tvrPG
zw{L_!AS>e)1gUPxj}>4PH|&L!l$77u%d8KS+@!AX)EO;SgTr~CI#yymJ3ak%uO$}|
zqhnz3YkAp0w;F$wQ%uYUHsOGijYp;o%=oeCWu{^|bMv&sCbe`_%W=@?NPByfqy<ky
zZ*T83hdT6%MsPCZkbX5U*0t;U`xE$~>lanHy4>EtrbVzEiPcbG(-<NBU!|k~S2v`2
zQ~%F*Izvl@kZ_!+Nm0}?1QCW1PbJ<UhiAT6K-@bkxG8!Z0k4>6WM&TUADXtnO1rpp
z4|y-b(mhE@`Mtc{v9S4vvOK+T?>H|HaYM1=Rr;f|$Ztr&8jAKu7y<j)SZ-lUknZ<l
z@%_8nlMvohyt+Jfg>kXR#ij7ZEWHptT{SffU?~A*kQf{t92$;4z<S#|Dap98u(O|_
zHUFZGoNob?mWDVfeP8q1wQFOAe9vAY9FgTj2Gtp;j>opI{b?~o<mAeSuV+mAxL~ah
z^m%#eKFb^)r-v~;n2l3bddwgOoMYi^$bhV=sVUT>V`R;P8|Sz9;&}*PO$W0Rcc6_=
zPIdttD=#nq@yTm{Z*MrBnu_Y{Zn5VTAt88Hn&Y2=jwgB2$h^1u^*;d}2g9<#4`6s{
zG@5>@oxk?ZRNpI4Ejoc^{)Q1GR&zA%{qbr&`DhE|uh@f4t{ZO%$m+_gSO?(4d}n#m
z^uAdA1OkBlG65|2((U&pmyNE62e8TM+<0rXkYgx^?xTW-F{yGdt*9_5F-Hc~CUz%h
zNk9r62)92?N8KyN;(hP0&$cp<<-V0U$eg>#VI374+dMZ}8HAJhtz}?fHz$O8dBTo3
zJiVD<#X#rT@TjZiN&BCsW;=4w{=ZDk==WyG$=25|UT`yqAitGfypbqzxY-L-`P@|p
zdaIg9jEag%og~fq^T`Pb+3bm}A;ff4)YNofytvFL71boyonWr;U&9Qvw-f&vg=b2W
z4SKM>93cXaFm?Wm8t){)2N1Bp?jm9RhKQYcnJVRPRPezATqUOc@I9~@K|mND9VO;A
zf8lhJHwV#o0JA~-rk`6%x|u+^9tX23G$0@1@U?`GYq4o{*2A-!hzTM+Ii&Xy`w_oc
zO^01K4|D}kXM)~4xkzk7C0qRUi;D+cX7kN*C^;X|huu3ElmN|LRYj%iAcl#V8Aw_H
z436M1^xGWVh!5z|W4*6H9ttg3dV!pDb!l!>3hN@F(OoSVrTHEAj8kKNcJ=_wHX9G~
zT!RcPliuV$F7U`cq&^~n92+t$utfhWPPY5~>4t5USgkv;)pmEJd?8&vtmEg<OX0ig
zP3N8ZHaSE{X*7SzyOa&8rfeQ*>dD}6ebC~+{XE+bO%(KuH(6N(DG%mgpgU)y^68BK
z{QC8)3iEJVJg<J7xebHA)$udlIbd?C7L12{$A_S==;)1eDGO#lAPZeH4pCox1puh^
zxcKdWdGWKC^$p|9v}yQ&!zDA#Iw;sAwP476?RX*7cqKm$P+sCq7jPHBnTE8<1sa~K
z0BqvyZ9`+@=nfcN=mmQRC#bnVAx3{YU~91-<c?AhoPll_mzaM6`JA)S4SQ9Pnj*5I
z7y-A4=2<>WFGQ5{b}R~?BB4hR6QT(y&$Hr{(GM%YwHsVbO__QMO+M-QDYQ(@0G?*1
zqYFzuuY1Od7pewjx&1)l84?l)82N$em6k6<5AFogKir#p?)7JEVR12%B-{J#SB`o4
zOT75%TlYw}#+eh-@dWt`ya|O_f~>~D0iwJg0N!vJpmshSJiKPUzeTv^y}Y~<w!EEL
zlK?vM3_OpI7rsAc&;WN|YJ)BrRCUbg*{{Ds!*Z?%zz(pOVo(GC!&jlmn5ClU0DiT&
zX&T<Ovg-Z7!1cy==MT@)vuDprAHtf1u59O*MD+6zZiv~cTAEJ@83;lURcsdwaux7S
z0xULYa#N})YEzTQ0GXAPGhquvM}y-pr<v)S2sdDaPP$$EOl@u4cSZNAOh-Crcq#1K
z8$=f*6eMtzHQ2ja!>5QIsv==6<*ktuZP#$dKENRg8H8-2$4#S)_<48&gR;Dy03wMw
zCqhLCghCzUeAm*QmM5&FN6&$Z=4J&<M{qXeHXt-0OHb+E^Ri*{Z~P}bAP{P{25tjL
z1p6engXQ~kezVIp>uYPWy)X)Ks?#(6-GN71P7bHk18;A_)DppcjfoL??+TO;&>|F?
zYoLpHEDs4TxHvi-TE$8Zfcyn6NN`vf4BfO%{MNOg=EdQ~HpOL0W@O)~hdwCo{f}va
zDin=xfB_!m+@(EO2h{OflAt`5=fC7(zze2@E?*`ib`IWMoNkQjl-lQ8ew+Ym<?+*t
zH=>IgbVf!;&uiEeeqO2BhnmkVS&bcJ1}^}T!(bS6Y=FvF9Y=6gRk}kB7_2#&v>1D6
zcO=edEo-Q(J_*H_%^7aFLf&pil*R=J{Z^_(o<Ucx(fQF;&`$x^JqXk{_5pU@(Q)&j
zzg^Zv^1Y<n{7qHWi0NAeB{1{Jfe8-}r<Z)--kx~ry8AE43Dn)gDE^voo~(2fU%|f@
z_ob8JGeOQfd!5xmyi5d!wFm^d+eo445=?>$EYG#m4pI|_bLs-Hni`?r8XTO^1(&Wl
zj$~yZZY-Z641P}5VoEA1BzNh2e0;PUnZ#GOw)_|Ka?<d?^a{A@sC)wn3`JmsqHg9~
z>>4zxsV|Rt{6jD$4XOW(i$?R9L)Rku0fD{L<{M{jcyAQ?<$r!G9}h#DuZi}bn?AS;
zCJy+TU)Mok%s&$Entl+Nl#d6yp!kAbXl!ik7MD4&mB?BmiJdXGm^Oe_jMwhJ>Kp!t
z*(qej@!vMqpcp_A*(0%_k;K*wB<v`)e*dnwz<$9(R#KM0pjLTw;9e(n-+)VAS8($m
z$9z%|#+R_pv2?0ZkJYeExYAqq-lpYWRU!o{i1UksZVWRRfR+kBj2kpZEXqmQMA_s<
z1XAIOuHP%-hRo~8-%*~U5ePW)TYIg`sgYW!g?1SKJlxr-@t2FatTCS^O`mK;6Jd``
zG$MvFq_p$rM<YTC)R>}|C|r|OT=DCFed<09rRvVmh-XB)?V;;Vy4s8W)@_qQk#m~z
zR((MIWYBaA;J^?aLC_P-R+w~H*Ydilg)dz*AhF$*HOU0>05Jy}yhE^(_a_8zKVd>G
z_GA-NZLUm63kqtrsa=SQiTOQP%uJ^JhZ}dB<JK#p0E=pR{+r}hW#oA)ygWRZ)5BFB
z_I)~+&1xj9+h`c}VBqv<t2m(b8S6FZTg!}RK;yq-pcxs|NuMYm^H@tBXerkCf|HZe
zSX^bdzrX(!%10t817S5&O8<TJ*{fH}%gZF~1V<XS_kj<aKWy<E_2l=k5Wx>XxYyCv
z&N2Zq$1t__A0sitOwtdH{X)J`sz9w%OdX1wnmU{8uVQV+MVem5nd*%ig}%+Y3w2^V
zLy>roMF&z+`qlctZ6|^?tHQBR{Pl}1Nqf3db1s2-S46qbwP6+L0+H=RCnzuJ`qHs5
z$11vnGS_2D;%x~nVaDh30GJayL^m!ZK4rBeXAn)>UwSPGV*xxh4`9xg@^#axNIi*Y
z%ua}=w9E9#MCrX*>ScSFkjRi1?QvfkP*=0DvSKGqipoDJhg->tCY8$6ClitUCxmiM
zvH;~pQqo*$`{EdLuSl5n6*oqc;h#IeqQjern1XurRX9T4`VHFUu*`i8A#QAj8S@$T
z)F!AaZ>OBQBf~8I)^xSWwEg;Jx7OX>e&gkWOtG+LjI#U;4FC4M5ZH}273<ri2L%<I
z<{1a2$gmR+NFXVfunAn>S2HsZg58yNx&L7zLoIykC*X>kZxrBv@JUC4q<6=<3Z<#9
z+y>)wDQAK@e<jGP$HK<q*k3>V%bn_(OCO0;;mI1X;mXfIxw^S&p;JIy`)=k3^GV(>
zRgW1>(oxYd%^9Ngv6WldoaqvsFtcMm3Yi<Vl^dEiU+hgEilN}`R%?#S)Z;gUAK$FB
zyQ4|y1rSVq`)xy$LJ#INd#(EVKBA(xppoZ)m^t(3v@!SCT`ukVN2*vaBm3TGI4vXy
zk71}RI&aiilmWNR{##8X&p*#s<}iGvFgiAt?)c-SPU_#`Ac0KX)Yj2yOm2i}hFsoB
zkoYv$rH|HPK^~{|UFk{>ntC+=%Q{`thsB4A-{R!u<>lfc`m(UH;*=Cr`o(s$jSxL~
zZfN=?4{ho`yJl*^4~+M(!i35dc`Yn<^4BjStA)7`HKOl2H;FAAZeqonnyj>5O>tho
zeqQ55A*E1w+eXJf&af~a@BBHlihBv=#6DNj5eg}qGJqr-E_X%JP8EesTO?KTrz7qT
zxShNQ;g)qHDoKGDb>>MYcxhSsPv4OI6G-Ap>OXj7vIiqfuWXg&jy~o@jY)_SS9^8Z
zz}+w&CqHTP=8F_MNV{df%y<NnI!SLqP@zJKBD%3Y_iGIa|0T~$<EVUd2PO7u*W7f$
zdy9HVp6Xk;D&LkoxEPi9t#YRcrk~T3lPnF6dO|d7(rEkSm;1_iBX51<WQ^vDhh^cX
zuvb;Tz1bdJWzVOd4%q=@;9+xBo)T!sBu_rhJ`a%>_-1^m!N7}LaWQKq!a^QF?v`+(
zx4)Z25ooqDI%#}KVJ(a)@5nfeQ3FR~4qpR2{}0w&w5(*I`c^bLRm@#N3x_xSrkOSO
zB1C;T;!C<Z4B{p%dRX$UcEBamQ62X}GXP)S)j@J>H+1zMbaCMD+zN_{s>j0V1$T<6
ztsd!r_|J={4`pU%isT}weJwSSHW_%(Zb3Cw-7mrwQ~P+4OD>koL@*J|`C4Lu*JmRe
zPOPWWn72JS|Hi?x^4-_R6g<4xe?D1&DDhsKekmFPPp@5ZLP)7%=cw}Gp*W4X_obV<
z_~|F-?KD+msB^1<F67#&a;Ax*!lu-$7+Gm{>?(UoI78dCxOou$Wv$ORZ`l3?plJSV
zbJLwCZ63Idike!6r~Na)v|ki-^$FJkJxj4sDPKxegdt^(Qj|ph+!9fGrE+~jsH7n7
zG3YlN^WWsp(d*w69~mAlrPb^OX*4bJdrKiBP|iSSozE0+cw}5!NUgrS8Df^V&YreA
z8|jNP&f5`ku*N#WOw(O~*I>FL)e9#l&0*B<qt6CMesJh<v0{D-OaVF!m3$cr5zs|O
z%HO9azS?+156ht3t~r)D-R6r!z#u-$OHR9V7!&gapcj~wiy!g%$L`n6Tn1$vrX<1d
zPtd7@DGQQ~D-5pn1|{6v&6<XJqDG<LTUeMwc~?x3b{wo{jdF%Op?d0hXO2~Q5IdGi
z-(&1UJKtEXmQjC_kPz}t@uL1A6&EkUh3j}u??_HtYBm%QFV2aswj;t^XE`>#Qro(m
zq*0RREzBI2W@>987LV0m3RBinfvnt#aiWuW!p_Eal*`_AGetV!2$&wtinum6I3Z7x
zk}BbBgmD*;Eex@lAriF3brpfDvj8wOV0Gb01<U#1ClW(6`&L|Uam$3|w+c(oK_p~q
z?`f@q(T!CnS>QZVU^)8U5gep|KJG3}!0Jhx^C{=d7kaW+?9RoHMq+upmODE-4nQ1N
z=kv5iA8e00m4q7;7B=h68^DcL)}Uy@2x<xbT*a<hsdVVHTH|AiNMB)3`Un5)wY42J
zmqw}3M-hSqcm5Z-I>GS{y|5nyt+fOOVL|&=dYDOn-j)5@wZWn4Y}jv?Y)fULM#+~~
z*2Dg4aZ}OKhH|umaZ#v=%oWTAkz@CA^EaqmN%8Rw_~KyHpRtcY^Dhz_@VRCxl7dA=
z3*n(pL!Df3LO;gFXs$O=ilFfzxbu>g<w$ByoCVYk-jto=8i9&k19}hVUW}@1Z``<{
z9CJ>WQ`*xGT+!E6VA(c(C^U*W27nFSq-cB$LIOk(Ks&m7y07{Q1R8<u0<Y=7cbgst
zjDPky_c&nk=g*&0Q(ty#_0jm<-Q6coC?tgG#YVi32~Ha{ceByrW|!uSGx%rLPxOOO
zbx`6!rGt4$fX(!Z35_@Z)=jt8Lh=CUCpa@BHAODPRi8cy9Tn&x13~v&0Z0Tcgo*r3
z4w#Yq{+;YnPnBde*eoFZtB#5U$ik3ZW~LQjf%;E>u`>CmjI=Ac-Q3&^X++eGjLt=h
z3kf|_ltq`^yXPVE4$O&MbP0@YyPb4Ig8W8$Ol0-}gfo?^moGntcO~(Ii~@4v!HfKn
zM+VK&XX{}c2LCZ=vN@&7bxw^|aVs(Z`Sa(mUo-zuLmMC(8yne`qI2s5z7O6ZCdQZ_
zz-Y6)g++Q<nb5IIk&#S7q?17|qMiNHrEg!pu(GoUDZ21GOw=&y@*I5!z3&33$&VjD
zj+FmIts^7S*5BWMPW-wS^5sQPN6Aa`<5E)}H{m=zuY&MYviqhmCntxyUV<tDG)p*P
zBmBmI28X9j60xV{tD_s?&^9(+o}agIxX%DrX39l*dwX}JTz{^p#hO7(p^VH#m52Ts
zGuq$SGoZ~N)^v6jfU9<~KpKD&y*&LE#iM2?T-vCBwo3$Y@$~7_N14fN%P0l30lKxd
z74Gt&=mxnbG6Pi@4p0WZf7?6GoQ{R3?i_D5pu*{8{eTi;3aohr9BSD6``2i%fd8L&
z)2*Et0?JkR{^SrE1VYckkLO9w$r3L7MEW{$WmT2YXbbAA|GzJQ`t9NA`941m4Fe^^
z@P3wK4H$CdGrw3H84-c__Z4vPKEvq?7njoa8bZRt@g{iiUxg*ce*6$Q@D83Qd<_d0
z_q6)+=kk#uu!pAv?tz4i086T_P9`RWu%OegsgWRJTeh{e5vC<Cd7Py(K|q!AaRHlz
zN<4+kaUKo>kiNPBa?>YpMYDR+zAeLJFT}Aosg1yN6h9YMhDZJW{mXpjA7`S%X-S*a
zKyvSwJ-99^YVhl}`(u<6`pG?(D_5u-??&xkGC8Pf9i|3>n3OO>^sb2xr29r>8L<Gw
z>qh!LZXGI!q>oiqv{>v~KJ?ZRikYaSfL?J{)<-6A>)JZB^g=cyi$gZP!9Xqv8-`Lr
zKY1w^&2O2?{u`{8>Ag;FD!Bd(tw6mBwFyE@iwgXPpy+6lvV5ng%Xm;nrn1vfDwkN5
z&bGC;7i_S{aj4tC_JM@~L73}1_<Qv_kuNhd^NqcVr-Z|Xe0<BG!RFPk5@Rs=qbFEE
z#|=8?ZKAG9!@ywtvmef08eAuO*jLXQXf$4&bXIpGC`B9DfTHMi?VBgw>+8e8d^;fk
z!at_<E`XYhZKnJ9JhEz9n#20e9Z^wHXEsgn1n4r{-cIfM?Od_cfL$Gb31vs(n4D3(
z0hNOaABF_DZ)=;QFJ1ebwbkFxZ<e`x{o3fCRv^8{{`bMVX*t#!gwghUj*ohJv>kYl
zMO~&9Ji)&T|5!#i{uFIOGy^Ia&uq|0O&0#$yDLC+2s=a3&LSW{q2WOJmS_e%T76dP
zlb^E?g63zG2{&xbvciWK_yg9u^(Y*xgoA+?v;he4!I+XNyap6aHMO>H-x8Sm!VN%T
zR^b0y2}k4X7;*2hU7!y-@XlXPBndnyeLg#TXE`ng1y4zN_Uu`L$HIM@d=-z!!<6e_
zcehsI3s5GlZzD5kyI^Jq$e-LrI19waYi2e9%SS5;M+oD<&EnR1Gei#~Www94Q?s+P
z;Y41^P}jhKUK^;@Oct@Qg$9V+w_zb6TR<LxSF%0OD!6v&g)HX=A&o`xA@nMO6&r9G
z9&OGA2BDOh{c+)S5O57ez#)e|y4gBdIyu$)?X44LF8Ng9f&#hK(m=<E?sn6*w6+?4
z@+^YUF&Ni@qkxaD9)q_H$JpR-lUdZcU~e=9HFbRk;lQlS0aU2{-Cdc}FtKmuw-!Rb
zcp`xE0L*w$RkpUbr92kn#iEsAC|&y-fqn#?CLf2<ZBWo-vLhZpR(c8N^2#c~Zmrm5
z7IV$YT`X_|sR~DJhlJy{VZ?NoCx_qC9p@557rqb82lyulc%^;^(guiywdab;aHI&o
zExmZWE&@g!SUSI1PYBl9b~5=y)s2oO6Mi2Bg4k)Sug^ZS#u1Z}OpJ`$RX9DQbB+um
z%H|vFIP|4CrC*?|lF!_+wvLF0dxyQTfnw3{Zf$e(U^<FFD;9KVNu1A2%ryly9Fjx*
zWy3!wexcto?-fXu@AYE^U{W-W>UMff-9Ntx${pA@U~PJT5r?q2L^%DsLYVXCLm#oh
z<VZp2A^c?iyTl7l3KyQUI%ao1*mWtVT%DD6|J4P0AZTsJlrSkWklPo4VY_&&^8~|k
zuDlM0#>GqtM+mAEHK%fA3y)#?VJ0`0Q3a$DxH=r*B4UNp(hcwSq$9RTVy3fxq{E?j
OgsS2#g|~9%f&T-<Erz53


From 851df5a9d3acbcf25edf68dc2605e7338d437785 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 28 Feb 2023 09:57:53 -0600
Subject: [PATCH 11/14] Update ToC

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 9ad749e..5905096 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -13,6 +13,9 @@
       - [`OSIE`](#osie)
       - [`Template`](#template)
       - [`Workflow`](#workflow)
+        - [Workflow `Started` condition](#workflow-started-condition)
+        - [Workflow `Succeeded` condition](#workflow-succeeded-condition)
+      - [Conditions](#conditions)
     - [Workflow state machine](#workflow-state-machine)
     - [Action state machine](#action-state-machine)
     - [Resource validation](#resource-validation)
@@ -21,8 +24,6 @@
   - [Migrating from v1alpha1 to v1alpha2](#migrating-from-v1alpha1-to-v1alpha2)
   - [Rationale](#rationale)
     - [Comparison with existing resources](#comparison-with-existing-resources)
-    - [Use of explicit `State`, `Reason` and `Message` fields vs conditions](#use-of-explicit-state-reason-and-message-fields-vs-conditions)
-    - [`ActionState` and `WorkflowState`](#actionstate-and-workflowstate)
   - [Implementation Plan](#implementation-plan)
   - [Future Work](#future-work)
 

From 05249acc2fc3bbf1072eecea4522825223c01f49 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 6 Mar 2023 16:16:29 -0600
Subject: [PATCH 12/14] Fix object references

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 5905096..562640c 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -109,7 +109,7 @@ type HardwareSpec struct {
 	// BMCRef references a Rufio Machine object. It exists in the current API and will not be changed
 	// with this proposal.
 	// +optional.
-	BMCRef LocalObjectReference `json:"bmcRef,omitempty"`
+	BMCRef corev1.LocalObjectReference `json:"bmcRef,omitempty"`
 }
 
 // NetworkInterface is the desired configuration for a particular network interface.
@@ -169,9 +169,9 @@ type DHCP struct {
 
 // OSIE describes an OSIE to be used with a Hardware. The environment data
 // is dependent on the OSIE being used and should be updated with the OSIE reference object.
-type Netboot struct {
+type OSIE struct {
 	// OSIERef is a reference to an OSIE object.
-	OSIERef LocalObjectReference `json:"osieRef,omitempty"`
+	OSIERef corev1.LocalObjectReference `json:"osieRef,omitempty"`
 
 	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
 	// space.
@@ -372,11 +372,11 @@ type TemplateList struct {
 type WorkflowSpec struct {
 	// HardwareRef is a reference to a Hardware resource this workflow will execute on.
 	// If no namespace is specified the Workflow's namespace is assumed.
-	HardwareRef LocalObjectReference `json:"hardwareRef,omitempty"`
+	HardwareRef corev1.LocalObjectReference `json:"hardwareRef,omitempty"`
 
 	// TemplateRef is a reference to a Template resource used to render workflow actions.
 	// If no namespace is specified the Workflow's namespace is assumed.
-	TemplateRef LocalObjectReference `json:"templateRef,omitempty"`
+	TemplateRef corev1.LocalObjectReference `json:"templateRef,omitempty"`
 
 	// TemplateData is user defined data that is injected during template rendering. The data
 	// structure should be marshalable.
@@ -504,7 +504,7 @@ When `Workflow.WorkflowStatus.StartedAt` is a non-nil value it transitions to `T
 
 A `Succeeded` condition will be used to indicate the workflow succeeded.
 
-When `WorkflowStatus.State` transitions to `WorkflowStateSucceeded`, it will transition to a status and severity of `ConditionStatusTrue` and `ConditionSeverityInfo`. 
+When `WorkflowStatus.State` transitions to `WorkflowStateSucceeded`, it will transition to a status and severity of `ConditionStatusTrue` and `ConditionSeverityInfo`.
 
 When `WorkflowStatus.State` transitions to `WorkflowStateFailed`, it will transition to a status and severity of `ConditionStatusFalse` and `ConditionSeverityError`. Its `Reason` and `Message` will be propagated from the failed `ActionStatus.FailureReason` and `ActionStatus.FailureMessage`.
 

From 41f6aca83f67913a96f64a0ee0990e133d1d60f5 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Mon, 6 Mar 2023 16:25:05 -0600
Subject: [PATCH 13/14] Simplify OSIE definition

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index 562640c..b69c8fb 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -96,7 +96,12 @@ type HardwareSpec struct {
 	IPXE IPXE `json:"ipxe,omitempty"`
 
 	// OSIE describes the Operating System Installation Environment to be netbooted.
-	OSIE OSIE `json:"osie,omitempty"`
+	OSIE corev1.LocalObjectReference `json:"osie,omitempty"`
+
+	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
+	// space.
+	// +optional
+	KernelParams []string `json:"kernelParams,omitempty"`
 
 	// Instance describes instance specific data that is generally unused by Tinkerbell core.
 	// +optional
@@ -173,10 +178,6 @@ type OSIE struct {
 	// OSIERef is a reference to an OSIE object.
 	OSIERef corev1.LocalObjectReference `json:"osieRef,omitempty"`
 
-	// KernelParams passed to the kernel when launching the OSIE. Parameters are joined with a
-	// space.
-	// +optional
-	KernelParams []string `json:"kernelParams,omitempty"`
 }
 
 // IPXE describes overrides for IPXE scripts. At least 1 option must be specified.

From cb9942766a5e236999ec1a09b1e025cfb246c856 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Tue, 7 Mar 2023 09:14:40 -0600
Subject: [PATCH 14/14] Update time fields and validation

Signed-off-by: Chris Doherty <chris.doherty4@gmail.com>
---
 design/20230222_tinkerbell_crd_refactor.md | 60 ++++++----------------
 1 file changed, 16 insertions(+), 44 deletions(-)

diff --git a/design/20230222_tinkerbell_crd_refactor.md b/design/20230222_tinkerbell_crd_refactor.md
index b69c8fb..08ac9f5 100644
--- a/design/20230222_tinkerbell_crd_refactor.md
+++ b/design/20230222_tinkerbell_crd_refactor.md
@@ -165,19 +165,12 @@ type DHCP struct {
 	// +optional
 	Timeservers []Timeserver `json:"timeservers,omitempty"`
 
-	// LeaseTime to serve.
-	// 24h default.
+	// LeaseTimeSeconds to serve. 24h default. Maximum equates to max uint32 as defined by RFC 2132
+	// § 9.2 (https://www.rfc-editor.org/rfc/rfc2132.html#section-9.2).
 	// +kubebuilder:default=86400
 	// +kubebuilder:validation:Minimum=0
-	LeaseTime int32 `json:"leaseTime"`
-}
-
-// OSIE describes an OSIE to be used with a Hardware. The environment data
-// is dependent on the OSIE being used and should be updated with the OSIE reference object.
-type OSIE struct {
-	// OSIERef is a reference to an OSIE object.
-	OSIERef corev1.LocalObjectReference `json:"osieRef,omitempty"`
-
+	// +kubebuilder:validation:Maximum=4294967295
+	LeaseTimeSeconds int64 `json:"leaseTimeSeconds"`
 }
 
 // IPXE describes overrides for IPXE scripts. At least 1 option must be specified.
@@ -379,16 +372,18 @@ type WorkflowSpec struct {
 	// If no namespace is specified the Workflow's namespace is assumed.
 	TemplateRef corev1.LocalObjectReference `json:"templateRef,omitempty"`
 
-	// TemplateData is user defined data that is injected during template rendering. The data
-	// structure should be marshalable.
+	// TemplateParams are a list of key-value pairs that are injected into templates at render
+	// time. TemplateParams are exposed to templates using a top level .Params key.
+	//
+	// For example, if TemplateParams = {"foo": "bar"}, the foo key can be accessed via .Params.foo.
 	// +optional
-	TemplateData map[string]any `json:"templateData,omitempty"`
+	TemplateParams map[string]string `json:"templateParams,omitempty"`
 
-	// Timeout defines the time the workflow has to complete. The timer begins when the first action
-	// is requested. When set to 0, no timeout is applied.
+	// TimeoutSeconds defines the time the workflow has to complete. The timer begins when the first
+	// action is requested. When set to 0, no timeout is applied.
 	// +kubebuilder:default=0
 	// +kubebuilder:validation:Minimum=0
-	Timeout time.Duration `json:"timeout,omitempty"`
+	TimeoutSeconds int64 `json:"timeout,omitempty"`
 }
 
 type WorkflowStatus struct {
@@ -419,7 +414,8 @@ type ActionStatus struct {
 	// ID uniquely identifies the action status.
 	ID string `json:"id"`
 
-	// StartedAt is the time the action was requested. Nil indicates the Action has not started.
+	// StartedAt is the time the action was started as reported by the client. Nil indicates the
+	// Action has not started.
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 
 	// LastTransition is the observed time when State transitioned last.
@@ -517,24 +513,6 @@ The conditions data structure will only be available on the `Workflow` CRD but i
 // ConditionType identifies the type of condition.
 type ConditionType string
 
-// ConditionSeverity expresses the severity of a Condition Type failing.
-type ConditionSeverity string
-
-const (
-  // ConditionSeverityError indicates the condition should be treated as an error.
-  ConditionSeverityError ConditionSeverity = "Error"
-
-  // ConditionSeverityWarning indicates the condition should be investigated but that everything
-  // may continue to function.
-  ConditionSeverityWarning ConditionSeverity = "Warning"
-
-  // ConditionSeverityInfo indicates the condition is informational only.
-  ConditionSeverityInfo ConditionSeverity = "Info"
-
-  // ConditionSeverityNone indicates the condition has no severity.
-  ConditionSeverityNone ConditionSeverity = ""
-)
-
 // ConditionStatus expresses the current state of the condition.
 type ConditionStatus string
 
@@ -559,14 +537,6 @@ type Condition struct {
    // Status of the condition.
    Status ConditionStatus `json:"status"`
 
-   // Severity with which to treat failures of this type of condition.
-   // +kubebuilder:default="Error"
-   // +optional
-   Severity ConditionSeverity `json:"severity,omitempty"`
-
-   // LastTransition is the last time the condition transitioned from one status to another.
-   LastTransition *metav1.Time `json:"lastTransitionTime"`
-
    // Reason is a short CamelCase description for the conditions last transition.
    // +optional
    Reason string `json:"reason,omitempty"`
@@ -598,6 +568,8 @@ Templates will have access to a subset of `Hardware` data when they are rendered
 
 All existing, custom template functions detailed in [`template_funcs.go`](https://github.com/tinkerbell/tink/blob/main/internal/workflow/template_funcs.go) will continue to be available during template rendering.
 
+Additionally, data specified on the new `Workflow.Spec.TemplateParams` field will be available from a top level `.Params` key. This compliments hardware data that is injected via the `.Hardware` key.
+
 ### Hegel API Changes
 
 Hegel will undergo a reduction in the endpoints it serves because the data is no longer available on the `Hardware` resource. Minimally, Hegel will serve the following endpoints: